DoorDash discloses new data breach tied to Twilio
Food delivery firm DoorDash has disclosed a data breach exposing customer and employee data that is
linked to the recent cyberattack on Twilio.
In a security advisory released Thursday afternoon, DoorDash says that a threat actor gained access to the
company's internal tools using stolen credentials from a third-party vendor that had access to their
"DoorDash recently detected unusual and suspicious activity from a third-party vendor's computer
network. In response, we swiftly disabled the vendor's access to our system and contained the incident,"
explains the DoorDash security notice.
The hacker used this access to DoorDash's internal tools to access data for both consumers and
The exposed information includes the names, email addresses, delivery addresses, and phone numbers of
consumers. In addition, for a small subset of customers, the hackers accessed basic order information and
partial credit card information, including the card type and the last four digits of the card number.
For employees of the company, known as Dashers, the hackers may have accessed names, phone
numbers, and email addresses.
While DoorDash does not mention the name of the third-party vendor, the food delivery company told
TechCrunch that the breach is linked to same threat actors as the recent cyberattack on Twilio.
DoorDash previously suffered a data breach in 2019 that exposed the data of nearly 5 million customers.
Part of a larger 'Oktapus' phishing campaign
Earlier this month, Twilio disclosed that they were breached after multiple employees fell for an SMS
phishing attack that allowed threat actors to access internal systems.
Using this access, the threat actors could access the data of 163 Twilio customers and use that data in
further supply-chain attacks.
"To date, our investigation has identified 163 Twilio customers - out of a total customer base of over
270,000 - whose data was accessed without authorization for a limited period of time, and we have
notified all of them," explains an updated Twilio security advisory.
The fallout from this attack is just being realized, with Twilio disclosing this week that the hackers were also
able to access 93 Authy 2FA accounts as part of the breach.
Signal also disclosed that the breach allowed hackers to access the phone numbers of 1,900 users, with
some accounts reregistered to new devices.
However, the attack on Twilio is part of a much larger phishing campaign dubbed 'Oktapus' after the threat
actor's targeting of Okta identity management login credentials.
The campaign was discovered by cybersecurity firm Group-IB, which said that the threat actors breached
over 130 organizations worldwide using an SMS phishing campaign.
These SMS phishing texts utilized phishing domains containing the keywords "OKTA," "HELP," "VPN,"
and "SSO" and told targets to click on a link to update their password or access other information.
These attacks were very successful, leading to reported data breaches at MailChimp and Klaviyo and
an attempted breach of Cloudflare.
Other companies targeted in the attack include Coinbase, KuCoin, Binance, Microsoft, Telus, Verizon
Wireless, T-Mobile, AT&T, Sprint, Rogers, Mailgun, Slack, Box, SendGrid, Yahoo, Sykes, BestBuy, and
However, none of these other companies have disclosed whether the attacks were successful.
8/26/22 update: Story updated to clarify that the DoorDash breach was conducted by the same hackers as
Twilio but not through Twilio