DoorDash recently reported that a sophisticated attack on a third-party vendor affected certain personal information maintained by it. However, any sensitive information was not compromised as part of the attack. Moreover, there is no evidence that the affected personal information has been misused for any illegal activities.
Here is what happened at DoorDash
DoorDash detected unusual and suspicious activity from a third-party vendor’s computer network and swiftly disabled the vendor’s access to their system to contain the incident. As part of the phishing attack, the unauthorized party used the stolen credentials to access to DoorDash’s internal tools.
“For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address, and phone number. For a smaller set of consumers, basic order information and partial payment card information were also accessed. For Dashers, the information accessed by the unauthorized party primarily included the name and phone number or email address. The information affected for each impacted individual may vary,” mentioned DoorDash in its blog post.
How to prevent a phishing attack?
In 2020, 74% of organizations based in the United States experienced a successful phishing attack. A research by the FBI’s Internet Crime Complaint Center (IC3) found that phishing, including vishing, smishing, and pharming, was the most prevalent threat in the US in 2020 affecting 241,342 people.
More organizations are reporting phishing attacks that are leading to incidents of data breaches. Communication products’ company, Twilio, in the beginning of August 2022 found that it was subjected to a smishing attack to steal employee credentials. In another recent incident, an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. Such incidents lead to financial loss and also loss of trust.
DoorDash has acted to further enhance its security systems after a phishing attack targeted a third party. Organizations can take the following steps to stay away from phishing attacks.
Look out for the red flags. Employees must watch out for spelling mistakes, grammatical errors, the address of the sender, and unsolicited messages, links or attachments etc. that can lead you to get trapped.
Inform what you see. If employees notice any red flags, they must immediately inform the security teams so that they can investigate the incident and get to the bottom of it.
Using advanced security tools. Use anti-phishing software with capabilities like detecting spear phishing emails, handling zero-day vulnerabilities, identifying and neutralizing malware attachments, spotting man-in-the-middle attacks, etc. to prevent suspect emails from reaching the target user inbox.
Train the employees. Phishing attacks can be effective only when victims fail to identify them. Therefore, organizations must train their employees to never open any text message that contains a link to a website or requests sharing any kind of personal information at face value.
Read next: Latest cybersecurity trends indicate evolution than revolution, reports Trellix
