DoorDash Data Breached Following Twilio Hack

The massive food delivery company DoorDash has suffered its second data breach. So far,

DoorDash did not disclose how many users and Dashers (delivery personnel) were affected.


However, their official blog post states that affected users were notified.

The leaked consumer data includes:

  • Name;
  • Email address;
  • Delivery address;
  • Phone number.
  • Basic order information;
  • Last four digits of the payment card number.

Regarding Dashers, the leaked information included phone numbers, names, and email addresses.

Many customers became rightfully worried since this is not the first time DoorDash accounts have been compromised. In September 2018, DoorDash users filed dozens of complaints indicating their accounts had been hacked. Cybercriminals charged multiple food deliveries to their accounts and changed email addresses to prevent the original owners from regaining access.

DoorDash then stated that its internal systems had not been breached. Instead, the food delivery giant argued that victims were affected by a credential stuffing attack.

Almost a year later, DoorDash announced they suffered a massive data breach that affected 4.9 million customers. The breach exposed the last four digits of payment cards, names, emails, delivery addresses, and phone numbers. But it also contained hashed and salted passwords. Hopefully, they used robust enough encryption algorithms for the passwords to remain intact.

Who is to blame?

For both data breaches, DoorDash blames a third-party vendor. And on both occasions, they did not disclose the third party’s identity.

But the recent hack might be related to a much larger issue. American communications company Twilio, which provides two-factor authentication services, became a victim of a sophisticated phishing attack. It is unclear whether these were two separate attacks or if the hackers used compromised data from the Twilio data breach to target DoorDash’s third-party vendor.

One way or another, the ongoing user data leaks are troublesome. Cybercriminals utilized phishing schemes to outmaneuver Twilio – a company that should have the most vigorous cybersecurity. Moreover, phishing heavily relies on the use of personalized data. And that’s precisely the data leaked during the most recent DoorDash breach.

What can you do for protection?

DoorDash pledged in their blog post to strengthen their – and third-party vendor’s – cybersecurity. The good news is that the scope of the data breach isn’t that dangerous. Since the service did not leak any passwords, cybercriminals will find it difficult to access DoorDash accounts.

But it would not be the first time that stolen data has been used for phishing schemes. Here’s what you can do to stay safe:

  • Be mindful of phone conversations. Phone numbers are among the leaked information. A few decades ago, criminals often called people, trying to trick them into sending money. For example, they would claim that the victim’s child caused a car accident and that they needed a hefty sum of money to get them out of trouble. This practice is still alive and well, so be aware of any suspicious phone calls.
  • Start using cybersecurity software. People who don’t use any cybersecurity software are the primary targets for most cyber attacks. If you’re a DoorDash user, it’s the perfect time to start using antivirus software and a firewall. You should also consider using a

VPN to encrypt your online traffic and protect yourself against the data leaks that haunt many companies. There are numerous professional VPN options, and you can use a VPN free trial to try the software out before committing.

  • Don’t open suspicious links. Be particularly careful when opening a link, whether received via email or SMS, especially if you’re among affected DoorDash customers. Cybercriminals can use your real name and email address, and they might have your phone number. They will use this information to sound as convincing as possible. Try to spot anything out of the ordinary, such as the sender’s email address or a grammatical error. And analyze links before clicking on them. The target destination address might differ from what you see on the screen.
Work done by a Team Of Security Experts from Cyber Writes ( - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]