DoorDash Hit by Third-Party Vendor Breach Linked To Recent Twilio Attack

DoorDash is the latest victim of hacking group dubbed “0ktapus,” which has stolen 10K employee credentials from about 130 organizations - including Twilio and Signal - this year via phishing attacks.


In DoorDash’s blog post, it states that the attackers obtained credentials from employees of a third-party vendor, which were then used to access DoorDash’s internal tools and systems.

Data accessed includes names, email addresses, delivery addresses and phone numbers of DoorDash customers. Some users also saw payment card information stolen, but not all. For DoorDash drivers, hackers accessed data that “primarily included name and phone number or email address.” Cyber experts weighed in on the attack and provided recommendations for organizations to ensure they don't become a victim of a similar attack.


Tim Prendergrast, CEO, strongDM


“The DoorDash breach, along with those experienced by Twilio, Signal and more, that gave hackers access to customers’ data highlight how crucial strong access management and infrastructure are to maintain strong security. Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally. The first step here is, rather than point fingers, because in truth this could have happened to anyone, that it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."


Arti Raman (She/Her), CEO & Founder, Titaniam


“Following the recent Twilio phishing attack, attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident and then used the stolen credentials to gain unauthorized access to information related to a limited number of Twilio customer accounts, as well a multiple third party associates of Twilio, including most recently, DoorDash. As this incident proved, despite security protocols put in place, information can be accessed using privileged credentials, allowing access to hackers to steal underlying data.


The most effective solution for keeping customer PII safe and minimizing the risk of extortion is data-in-use encryption, also known as encryption-in-use. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach."


Neil Jones, director of cybersecurity evangelism, Egnyte


"The alleged cyber-attack on delivery application DoorDash reminds us that an organization's cybersecurity is only as strong as the security protection of its third-party vendors. Here, we see how social engineering tactics and suspicious network activity can lead to fraudulent account access and ultimately impact a brand's reputation. The good news is that DoorDash did a lot of the right things here: 1) Detecting the suspicious access quickly, 2) Involving law enforcement agencies on a timely basis, 3) Providing rapid and clear user disclosure, 4) Providing a dedicated call center number for impacted parties and 5) Committing to make potential cybersecurity improvements in the future. For all organizations, general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user's "Business Need to Know" are powerful deterrents to social engineering attacks.” Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“Secure access across 3rd party partner connections is a significant challenge for most businesses. The growing dependence on public cloud and SaaS as part of the supply chain has drastically eroded control on part of corporate IT. Even most zero trust strategies stop at the network and cannot protect against sophisticated threat actors who are able to identify and intercept sensitive data for replay attacks or future analysis.

IT organizations need to implement enhanced next generation VPN and ZTNA capabilities to protect sensitive 3rd party connections even within potentially hostile or unfriendly access environments to safeguard sensitive corporate users and data from new and emerging threat actors."

Al Martinek, Customer Threat Analyst at Horizon3ai:

"As an internationally operating food delivery service, DoorDash services multiple industries and sectors around the globe. Any breach in data should be considered a serious security concern, even if it was due to weak third-party data protection. While this particular breach exposed customers’, employee and merchant sensitive information, this is not the first time DoorDash has experienced customer data exposure. In 2019, a data breach affected 4.9 million customers to include their delivery workers and merchants. These two data breaches not only speak to the main issue, the potential impact of stolen Personally Identifiable Information (PII) and financial data, but to the fact that every organization needs to be more proactive about their security practices.

As the cyber realm is constantly changing and cyber threat actors (CTAs) continue to hone their skills, protecting data is paramount across all companies, sectors, and industries. In the future, companies (such as DoorDash) need to take proactive steps to ensure the security of their organization and for their customers, employee, and merchants’ data." Jeannie Warner, director of product marketing, Exabeam


"This is a storybook case of the damage credentials in the wrong hands can cause. Compromised credentials are often derived from a URL in a phishing message. A carefully crafted message containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company should aim to nip this problem early on by identifying and alerting these malicious links.


There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domains/URL lookups. However, like any signature-based approach, newly-crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, such as technology and communications providers. Innovative organizations need a modern approach to securing their environments in order to spot these types of attacks quickly. To help achieve this, machine learning-powered SIEM, automated investigation and response tools, and UEBA technology should absolutely be part of their security stack."


###