Cyber Incident Victim: DoorDash

On August 25, 2022, DoorDash detected unusual activity originating from a third-party vendor’s network, leading to the discovery of a data breach. The threat actor leveraged stolen credentials from this vendor to infiltrate DoorDash’s internal systems, gaining unauthorized access to consumer and employee data. DoorDash responded by immediately disabling the vendor’s access to its systems and initiating containment measures. Exposed consumer data included names, email addresses, delivery addresses, and phone numbers. For a limited subset of customers, the breach also compromised basic order details and partial payment card information—specifically card types and the last four digits of card numbers. Employee data, specifically for Dashers, encompassed names, phone numbers, and email addresses. DoorDash did not publicly identify the third-party vendor but confirmed the incident was linked to the same attackers responsible for the contemporaneous Twilio breach.

The breach formed part of a broader phishing campaign, dubbed “Oktapus” by researchers, which targeted Okta identity management credentials via SMS phishing domains impersonating legitimate services. Cybersecurity firm Group-IB attributed over 130 global breaches to this campaign, which utilized deceptive links containing keywords like “OKTA,” “HELP,” “VPN,” and “SSO.” The Twilio compromise, directly connected to DoorDash’s breach, also enabled attackers to access 93 Authy two-factor authentication accounts and infiltrate Signal, exposing 1,900 users’ phone numbers and facilitating unauthorized account re-registrations. DoorDash’s incident marked its second significant breach since 2019, when approximately five million customers’ data was compromised. The company’s disclosure emphasized containment but did not specify the number of affected individuals or elaborate on post-incident forensic findings.