Personal Details of DoorDash Customers Accessed in Phishing Attack

pcmag.com:

Some DoorDash customers have had their personal details stolen as part of a successful phishing campaign.

The company has confirmed that it recently detected unusual and suspicious activity on the computer network of a third-party vendor it works with. The stolen credentials of an employee at the vendor were used to access some of DoorDash's internal tools, which in turn allowed an unauthorized party to access customer and Dasher personal details(Opens in a new window).

Only a "small percentage of individuals" are thought to be affected, but DoorDash says the names, email addresses, delivery addresses, and partial payment card information (last four digits of a card number) of customers was accessed. No passwords, bank account numbers, full payment card details, social security, or social insurance details were compromised, however. For Dashers, the information accessed was limited to names, phone numbers, and email addresses.

DoorDash says it has already notified affected customers and set up a dedicated call center to answer any questions they may have. The company doesn't believe any of the information has been used for fraud or identity theft, but asks that customers take the usual advice of being cautious when receiving "unsolicited communications" or being asked to click suspicious links.

DoorDash is now working with the third-party vendor to enhance its security system while also talking to a cybersecurity expert for "additional expertise and support." Perhaps DoorDash should insist that all third-party vendors it works with start using security keys to foil phisihing attacks.

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain