Twilio hackers also breached the food delivery firm DoorDash

Twilio hackers also compromised the food delivery firm DoorDash, the attackers had access to company data, including customer and employee info.

On-demand food delivery service DoorDash disclosed a data breach, the threat actors behind the Twilio hack gained access to the company’s data.

DoorDash declared that malicious hackers stole credentials from employees of a third-party vendor, then used them to gain access to some of DoorDash’s internal tools. Then the attackers leveraged the internal tools’ access to data for both consumers and employees.

“DoorDash recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident.” reads a security notice published by the company. “Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack. The unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.”

DoorDash did not name the third-party vendor, but the company spokesperson Justin Crowley told to TechCrunch that the vendor breach is linked to the Twilio hack that took place on August 4.

The exposed consumers’ data includes names, email addresses, delivery addresses, and phone numbers. The notice states that for a small subset of customers, the threat actors accessed basic order information and partial credit card information, including the card type and the last four digits of the card number.

For employees, the information accessed by the attackers included names and phone numbers or email addresses, however, the information affected for each impacted individual may vary.

The threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations, security firm Group-IB reported. Most of the victims are organizations providing IT, software development, and cloud services.

The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.

Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.

In September 2019, DoorDash suffered another data breach that exposed the personal information of 4.9 million consumers, Dashers, and merchants.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Twilio)

[adrotate banner=”5″]

[adrotate banner=”13″]