A hacking incident that first hit the news with a data breach of Twilio, a commonly used phone number verification service, has expanded to reveal a months-long string of similar attacks on hundreds of companies. The latest name breached during this campaign, food delivery company DoorDash, is likely the biggest and most relevant to the average person.
DoorDash says that the attackers were able to access “internal tools” that gave them a window into both employee and customer data. Both groups had profile contact information exposed, and customers may have also had partial credit card information (the type of card and last four digits) compromised in the data breach.
Second major DoorDash data breach in three years to hit both employees and customers
DoorDash has a fleet of over two million drivers that spans the nation, serving a customer base of about 25 million people. It is the largest of the food delivery companies of its type in the US, with a market share of about 59%.
A data breach reported in 2019 (but that took place prior to April 2018 and only impacted customers of the food delivery company at that time) compromised a total of 4.9 million people employees and app users under very similar circumstances. The size of the current data breach is unknown, but there appears to be at least one improvement: DoorDash did not mention that driver’s license numbers of workers were stolen, something that impacted about 100,000 drivers in the prior breach, nor the “salted and hashed” passwords of customers.
The DoorDash attack appears to have been part of the ongoing “0ktapus” campaign, which first made news when it ensnared Twilio (and Twilio client Signal by extension). But continuing research by security firm Group-IB has found this is the work of a discrete group of attackers that have compromised at least 130 other organizations in a similar way. The commentary from DoorDash on the matter indicates that an unnamed third party vendor of the food delivery company was the point of compromise, with the attackers able to move into the DoorDash network from there.
DoorDash said that its customers may have had names, email addresses, delivery addresses, and phone numbers exposed along with order information and partial credit card information. The exact numbers are unknown, but the food delivery company said that only a “small subset” had order and credit card information accessed. Employees may have had names, phone numbers, and email addresses exposed by the data breach.
It is still unknown to the public who is behind the hacking campaign, but Group-IB says that it has uncovered some identifying information that has been turned over to law enforcement and that it appears to be a profit-seeking criminal group. The attackers specifically target business clients of Okta, a widely used third party access management service, with fake text messages and login pages that look legitimate. The group has breached several recognizable businesses, including MailChimp, but appears to have had most of its success with smaller businesses despite targeting a wide variety of Fortune 500 companies.
Tim Prendergrast, CEO of strongDM, notes that attacks on commonly used services such as Okta and Twilio should be expected because of the “downstream” potential they have, even if these services are security-focused in nature: “The DoorDash breach, along with those experienced by Twilio, Signal and more, that gave hackers access to customers’ data highlight how crucial strong access management and infrastructure are to maintain strong security.
Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally. The first step here is, rather than point fingers, because in truth this could have happened to anyone, that it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure.”
Largest US food delivery company continues to struggle with security issues
Some DoorDash customers and drivers that received data breach notifications in the recent past may be seeing new ones land in their inbox. The food delivery company offers two-factor authentication to add security to accounts, but the Twilio hack demonstrated that the attackers can potentially get around this if they gain access to the right tools; in the Signal breach, they were able to re-register at least one account to a new device using that company’s Twilio customer service portal. Some of the food delivery company’s patrons have also reported that the 2FA prompt does not engage unless the user makes more than one order in one day, or may appear less frequently for “regular” users of the app.
Rajiv Pimplaskar, CEO of Dispersive, notes that supply chain attacks such as this continue to present unique challenges for even the best-prepared and most well-funded IT departments: “Secure access across 3rd party partner connections is a significant challenge for most businesses. The growing dependence on public cloud and SaaS as part of the supply chain has drastically eroded control on part of corporate IT. Even most zero trust strategies stop at the network and cannot protect against sophisticated threat actors who are able to identify and intercept sensitive data for replay attacks or future analysis. IT organizations need to implement enhanced next generation VPN and ZTNA capabilities to protect sensitive 3rd party connections even within potentially hostile or unfriendly access environments to safeguard sensitive corporate users and data from new and emerging threat actors.”
There is some hope that the attackers will be tracked down by law enforcement quickly, as Group-IB has described their methods as unsophisticated and relying mostly on extreme aggression and quantity of attempts to make headway. The data stolen in this breach is limited in terms of potential for personal damage, but could still be valuable to scammers and hackers if paired with other already available information on an individual.
DoorDash and similar food delivery companies have been under regulatory scrutiny, though not specifically for data breach issues. In 2021 they saw certain cities, such as San Francisco and New York City, place caps on their delivery fees and require them to share customer information with restaurants. The city of Chicago also filed a lawsuit against DoorDash and Grubhub a year ago that accused them of “predatory and deceptive” practices. The 40% of the market that DoorDash does not have is split roughly evenly between Uber Eats, Grubhub and Postmates.