Skip links

DoorDash customer info caught up in Oktapus arms

DoorDash has confirmed that “a small percentage” of its customers’ data and employees’ information, including names, email and delivery addresses, phone numbers, and order and partial credit card details, were revealed as part of a broad phishing campaign dubbed Oktapus.

“We can confirm the incident is connected to a wider, sophisticated phishing campaign that has targeted several other companies,” a company spokesperson told The Register. “The advanced tactics used in this incident are identical to the tactics used against several other companies.” 

As soon as it became aware of the attack, DoorDash said it disabled the vendor’s access to its IT environment and “contained the incident.”

“For a smaller set of consumers, basic order information and partial payment card information (the card type and last four digits of the card number) was also accessed,” beyond the basic lifted data, we are told. 

Meanwhile, for Dashers — the delivery drivers — stolen information was mostly limited to names, phone numbers and email address. However, “information affected for each impacted individual may vary,” the company said.

The lifted personal information hasn’t been “misused for fraud or identity theft at this time,” DoorDash noted, adding that the miscreants weren’t privy to customers’ or employees “sensitive information.”

“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” it said.

Yesterday, security firm Group-IB released details about an attack that targeted employees of Okta customers to steal their work login credentials and multi-factor authentication (MFA) codes. It named the phishing campaign “Oktapus,” and said in addition to Twilio and Cloudflare, the attackers hit more than 130 other organizations.

The phishing trip, which began in March, snaffled 9,931 user credentials and 5,441 multi-factor authentication codes. Criminals then used the stolen info to carry out several supply-chain attacks and access corporate data, emails and internal documents.

DoorDash said it notified affected user and “relevant authorities,” and is working with a “leading cybersecurity firm” to assist in the investigation. It also implemented measures to further protect its systems and improve vendors’ security posture. 

When asked about what specific actions it took to boost security, the company declined to comment. 

“What we can say is we take the safety of our platform extremely seriously and have already taken immediate action to further safeguard our systems, as well as the systems of our vendors,” a spokesperson said. ®