SecurityWeek reports that food delivery firm DoorDash had its customer and email data compromised following a third-party data breach.
Threat actors have exploited a third-party vendor's access to DoorDash systems, which was then leveraged to facilitate the exploitation of the food delivery platform's internal tools and access to data belonging to "a small percentage of individuals," according to DoorDash. Some customers had their names, email and delivery addresses, and phone numbers compromised, with some also having their partial payment card information and basic order details accessed, while DoorDash couriers had their names, email addresses, and phone numbers exposed. Despite not naming the third-party vendor impacted by the breach, DoorDash noted that the attack was related to the widespread phishing attack that compromised Twilio and more than 130 other organizations, which Group-IB noted has led to attackers securing access to almost 10,000 credentials. However, Twilio was not the hacked third-party vendor that caused the DoorDash breach, according to both DoorDash and Twilio.
Ninety-two more apps, nearly half of which are on Google Play, that have cumulatively amassed more than 30 million installations were discovered to be compromised with the SpinOk malware, which has been distributed through a malicious software development kit supply chain attack, BleepingComputer reports.