Local partners of DoorDash in Australia have contacted The Australian to say that they have been in talks with DoorDash for a number of days to discuss the matter and the possible hacking of personal customer data, including the last four digits of credit card numbers.

DoorDash is one of the many popular food delivery services in Australia, making up part of the fast growing gig economy, with thousands of clients ranging from restaurants and cafes to major Australian retailers such as McDonald’s.

In Australia it offers the DashPass membership which allows consumers to enjoy unlimited $0 delivery fees on eligible orders over the minimum $20.

DashPass members can also enjoy exclusive benefits including DashPass only promotions.

However, now reports suggest that customer data for millions of its users worldwide, including Australia, may have been scooped up after hackers used a phishing program to capture sensitive information that includes partial segments of credit card details, phone numbers and emails. The attack is thought to have affected at least 130 companies.

In a statement issued by the company it said it was working with local authorities.

“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies,” DoorDash said in the blog post.

“We understand that law enforcement is aware of this campaign and is actively investigating.”

In addition to working with authorities, DoorDash said it retained a “leading cybersecurity firm” to assist with the investigation into the attack.

DoorDash said it recently detected unusual and suspicious activity from a third-party vendor’s computer network. DoorDash has not named the third-party vendor but technology publication TechCrunch has reported it as being messaging provider Twilio.

The breach is thought to be linked to a hacking group, dubbed “0ktapus,” which has stolen up to 10,000 employee credentials from at least 130 companies since March.

“In response, we swiftly disabled the vendor’s access to our system and contained the incident,” DoorDash said.

“Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack. The unauthorised party used the stolen credentials of vendor employees to gain access to some of our internal tools.

“Our investigation has determined that a small percentage of individuals whose data is maintained by DoorDash was affected in connection with this incident,” the company said.

“For consumers, the information accessed by the unauthorised party primarily included name, email address, delivery address and phone number. For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed.

“Based on our investigation to date, the information accessed by the unauthorised party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” it added.

The latest incident follows a similar situation in 2019, when DoorDash reported a data breach affecting 4.9 million customers and delivery workers globally, who had their personal information stolen by hackers.

The Australian has contacted DoorDash Australia for comment.

More Coverage

Gig economy ‘can be a win-win’: DoorDash CEO

DAVID SWAN

Food delivery company signs major deal

Anton Nilsson

Originally published as DoorDash hit by data breach from hackers that could see some Australian customer data leaked