Food delivery company DoorDash confirmed an "unauthorized party" had accessed personal details of some customers and drivers through a phishing attack on a third-party vendor.
DoorDash said the breach was a result of a "sophisticated" phishing attack on a third-party vendor with access to its system. The unauthorized party used stolen credentials of vendor employees to breach its internal tools, DoorDash said.
Hackers accessed some customers' names, emails, delivery addresses, and phone numbers. The company said that a "smaller subset" of customers were affected by having their order and partial payment information exposed. The unauthorized party also obtained the names, phone numbers or email addresses of some delivery drivers.
DoorDash did not name the compromised vendor but said it quickly disabled the vendor's access to its system after detecting suspicious activity on the vendor's computer network.
"The phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time," DoorDash said.
The company said it believed the breach to be connected to a broader phishing campaign that had targeted other companies. Twilio, a digital communications platform, and Cloudflare, a network infrastructure company, were recently hit by similar attacks.
Both are thought to have fallen victim to a coordinated social engineering scheme that had compromised nearly 10,000 accounts across 130 organizations, according to the cybersecurity firm Group-IB.
More from Cybernews:
Subscribe to our newsletter