Ecommerce delivery service DoorDash Inc. said hackers who breached the computer system of a vendor exposed customer data, including phone numbers, email and delivery addresses.

The hackers got access to some of DoorDash’s internal tools by using a phishing attack on a third-party vendor that exposed employee credentials, the company said Thursday in a blog post. But DoorDash said it “swiftly disabled” the vendor’s access to its systems. It didn’t name the vendor.

The DoorDash blog post said: “Importantly, the phishing campaign did not compromise sensitive information, and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time.”

A DoorDash spokesman linked the attack to a Twilio Inc. breach earlier this month. The Twilio breach exposed employee and customer information after outsiders duped Twilio employees into handing over passwords. Twilio provides business-to-consumer messaging and digital authentication services among its products.

DoorDash says it will notify affected customers and relevant data protection authorities, where required.

Delivery drivers also exposed

DoorDash said hackers got customer information such as names, emails, delivery addresses and phone numbers. The hackers accessed basic order information and partial payment card information for “a smaller set of consumers.” San Francisco DoorDash added that “based on our investigation to date,” the breach didn’t include passwords or full credit card, bank account or Social Security numbers.

Also exposed were names, phone numbers, or email addresses for DoorDash’s delivery drivers, or Dashers.

“This is a storybook case of the damage credentials in the wrong hands can cause,” says Jeannie Warner, director of product marketing at Exabeam Inc., an online security firm.

Warner says online criminals can often capture credentials from a link in a phishing message.

“A carefully crafted message containing the malicious link is sent to an unsuspecting employee,” she says. “As soon as it’s clicked, the cycle of information loss and damage begins.”

Part of a ‘wider phishing campaign’

“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies,” DoorDash said in the blog post. “We understand that law enforcement is aware of this campaign and is actively investigating.”

In addition to working with authorities, DoorDash said it retained a “leading cybersecurity firm” to assist with investigating the attack.

Warner at Exabeam says many data providers offer blacklisting services or databases for potential phishing domains/URL lookups. But it’s harder to identify newly crafted phishing URLs. She says identifying such URLs requires sophisticated machine-learning technology.

Tim Prendergrast, CEO of security-auditing software vendor strongDM says the DoorDash breach “could have happened to anyone.” So, he says, corporate chief information security officers should reevaluate the visibility of and access to web applications and infrastructure.

Sign up

Stay on top of the latest developments in the ecommerce industry. Sign up for a complimentary subscription to Digital Commerce 360 Retail News.

Follow us on LinkedIn, Twitter and Facebook. Be the first to know when Digital Commerce 360 publishes news content.