SAN FRANCISCO — Food delivery app company DoorDash said hackers accessed phone numbers, emails and delivery addresses after getting into a third-party vendor's computer system.
In a Thursday statement, the company said it has "no reason to believe that affected personal information has been misused for fraud or identity theft" from the "sophisticated phishing campaign."
DoorDash didn't share the exact timing of the breach, but told customers it "recently" caught suspicious activity from the unnamed vendor's computer network. It said the vendor's access to its systems was quickly disabled.
A spokesman for the company told Bloomberg and TechCrunch that the attack was linked to a phishing breach of messaging company Twilio Inc. earlier in August.
"The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies," DoorDash said in the statement. It said it has contacted law enforcement and affected users over the incident.
Phishing is when an attacker sends messages to trick people into sharing sensitive information, like passwords.
This is not DoorDash's first data breach; a 2019 attack exposed data from 4.9 million of its users, delivery workers and vendors.
Who was affected?
DoorDash said a "small percentage" of people whose data is stored on its system were affected.
For most affected customers, the breached data included name, email address, delivery address and phone number. For a smaller set of customers, it included basic order information and "partial" payment card information, like card type and the last four digits of the card number.
The company said delivery workers' information was also accessed, mostly including name, phone number and email.
DoorDash said based on its investigation, the breached data didn't include passwords, full payment card information, bank account numbers or Social Security numbers.
OTHER NEWS: 'Your DoorDash driver's going to jail' | Texas officer saves date night after arresting delivery driver