DoorDash has confirmed that “a small percentage” of its customers and delivery drivers’ information, including names, email and delivery addresses, phone numbers, and order and partial credit card details, were exposed as part of a broad phishing campaign dubbed Oktapus.
It appear someone was able to phish the login details of a vendor who works with DoorDash; these credentials were then used, or could have been used, by miscreants to access internal personal data on drivers and customers of the food-ordering giant.
“We can confirm the incident is connected to a wider, sophisticated phishing campaign that has targeted several other companies,” a company spokesperson told The Register. “The advanced tactics used in this incident are identical to the tactics used against several other companies.”
As soon as it became aware of the intrusion, DoorDash said it disabled the vendor’s access to its IT environment and “contained the incident.”
“For a smaller set of consumers, basic order information and partial payment card information (the card type and last four digits of the card number) was also accessed,” beyond the basic lifted data, we are told.
Meanwhile, for Dashers — the app’s delivery drivers — stolen information was mostly limited to names, phone numbers and email address. However, “information affected for each impacted individual may vary,” the company said.
The lifted personal information hasn’t been “misused for fraud or identity theft at this time,” DoorDash noted, adding that the miscreants weren’t privy to customers’ or employees “sensitive information.”
“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” it said.
Yesterday, security firm Group-IB released details about an attack that targeted employees of Okta customers to steal their work login credentials and multi-factor authentication (MFA) codes. It named the phishing campaign Oktapus, and said in addition to Twilio, the attackers hit more than 130 other organizations.
The phishing trip, which began in March, snaffled at least 9,930 user credentials and 5,440 multi-factor authentication codes. Criminals then used the stolen info to carry out several supply-chain attacks and access corporate data, emails and internal documents.
DoorDash said it notified affected users and “relevant authorities,” and is working with a “leading cybersecurity firm” to assist in the investigation. It also implemented measures to further protect its systems and improve vendors’ security posture.
When asked about what specific actions it took to boost security, the company declined to comment.
“What we can say is we take the safety of our platform extremely seriously and have already taken immediate action to further safeguard our systems, as well as the systems of our vendors,” a spokesperson said. ®