DoorDash says it experienced “unusual and suspicious activity” on its third-party vendor’s computer network that was a victim of a sophisticated phishing campaign.
The unauthorized attacker used the stolen credentials of a vendor employee to gain access to some of their internal tools that had access to DoorDash’s employees and customer data.
The compromised data included name, email address, delivery address and phone number for consumers and a small set of consumers’ basic order information and partial payment card information including the card type and last four digits of the card number were also accessed.
However, for employees of DoorDash, the compromised information includes name and phone number or email address. However, the company says no passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers were compromised in the attack.
The company in its notification says that it is working with an unnamed cybersecurity firm to assist with their ongoing investigation and is notifying affected individuals whose information DoorDash maintains and relevant data protection authorities.
