Twilio hackers additionally compromised meals supply firm DoorDash, attackers gained entry to firm knowledge, together with buyer and worker data.

On-demand meals supply service DoorDash revealed an information breach, the menace actors behind the Twilio hack gained entry to the corporate’s knowledge.

DoorDash acknowledged that malicious hackers stole worker credentials from a third-party supplier after which used them to achieve entry to a few of DoorDash’s inner instruments. The attackers then took benefit of inner instruments’ entry to knowledge for each shoppers and staff.

“DoorDash lately detected uncommon and suspicious exercise on a third-party supplier’s laptop community. In response, we shortly disabled the supplier’s entry to our system and contained the incident.” learn a safety advisory revealed by the corporate. “Primarily based on our investigation, we decided that the supplier was compromised by a classy phishing assault. The unauthorized occasion used stolen vendor worker credentials to achieve entry to a few of our inner instruments.”

DoorDash didn’t identify the third-party vendor, however firm spokesman Justin Crowley advised TechCrunch that the seller breach is expounded to the Twilio assault that occurred on August 4.

The uncovered client knowledge contains names, e mail addresses, supply addresses and telephone numbers. The advisory states that for a small subset of shoppers, the attackers accessed primary order data and partial bank card data, together with card kind and the final 4 digits of the cardboard quantity.

For workers, the data accessed by the attackers included names and telephone numbers or e mail addresses; nonetheless, the affected data for every affected particular person might differ.

The menace actors behind the assaults on Twilio and Cloudflare have been linked to a large-scale phishing marketing campaign focusing on 136 organizations, safety agency Group-IB has reported. Many of the victims are organizations that present IT, software program growth and cloud companies.

The marketing campaign, codenamed 0ktapus, resulted within the compromise of 9,931 accounts, 3,120 consumer credentials compromised with e mail.

The menace actors behind the 0ktapus marketing campaign aimed to acquire the Okta identification credentials and two-factor authentication (2FA) codes of customers from the focused organizations. Attackers might then acquire unauthorized entry to firm sources through the use of this data.

In September 2019, DoorDash suffered one other knowledge breach that uncovered the non-public data of 4.9 million shoppers, Dashers, and retailers.

Comply with me on twitter: @security issues Y Fb