On August 25, 2022, DoorDash disclosed a data breach caused by a phishing attack against an employee of an unnamed third-party vendor with access to DoorDash’s internal systems. The attack was attributed to the 0ktapus / Scattered Spider campaign — the same threat actor responsible for the Twilio, Cloudflare, Signal, and Mailchimp breaches in August 2022. The attacker used SMS phishing (smishing) to steal the vendor employee’s credentials, then used those credentials to access DoorDash’s systems. Exposed data included: names, email addresses, delivery addresses, and phone numbers for some customers; names, phone numbers, email addresses, and delivery addresses for some Dashers (delivery workers); and partial payment card information (card type and last four digits) for some customers. A smaller subset of Dashers and merchants had full payment card numbers and bank account numbers exposed. DoorDash stated no passwords, government IDs, or Social Security numbers were accessed. Part of the 0ktapus campaign that targeted 130+ organizations; see also 2022-08_twilio-0ktapus.yaml.