DoorDash hack leaks customer and payment info

DoorDash Inc (NYSE:DASH) confirmed that a hack on its internal systems has compromised personal identifying information, as well as partial payment card information for a smaller set of customers during the data breach.

The food delivery giant revealed that hackers used phished credentials from employees of a third-party vendor to gain access to some of DoorDash’s internal tools.

DoorDash, in its statement, said: “The phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time.”

This isn’t the first time that hackers have stolen customer data from DoorDash’s systems. In 2019, the company reported a data breach affecting 4.9 million customers, delivery workers and merchants who had their information stolen by hackers.

What is breached?

For customers, the information accessed by the hackers primarily included names, email addresses, delivery addresses and phone numbers.

For a smaller set of customers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) were also accessed.

For delivery agents (Dashers), the information breached included the name and phone number or email address. The information affected for each impacted individual may vary.

DoorDash confirms that the hack did not compromise passwords, full payment card numbers, bank account numbers, or social security or social insurance numbers based on its information to date.

Does it affect me?

DoorDash says that a “small percentage” of users were affected by the incident but declined to clarify the scale of the attack.

The company says that it has notified the affected users where required, published information about the incident on its website, and set up a dedicated call centre to answer questions from users.

It also warns the customers to be cautious of unsolicited communications that ask for your personal information or refer you to a web page asking for personal information and to avoid clicking on links or downloading attachments from suspicious emails.

Who did it?

DoorDash has not named the…