DoorDash is
the latest victim of the hacking group dubbed "0ktapus," which has stolen 10K
employee credentials from about 130 organizations - including Twilio and Signal
- this year via phishing attacks.
In
DoorDash's blog
post, it states that
the attackers obtained credentials from employees of a third-party vendor,
which were then used to access DoorDash's internal tools and systems.
According to
a report by Ponemon Institute, 51% of businesses have suffered a data
breach caused by a third party, with 44% suffering a breach within the previous
12 months. Out of these 44% of organizations, 74% of data breaches were the
result of giving too much-privileged access to third parties.
Data accessed
includes names, email addresses, delivery addresses and phone numbers of
DoorDash customers. Some users also saw payment card information stolen, but
not all. For DoorDash drivers, hackers accessed data that "primarily included
name and phone number or email address."
##
Gal Helemski, CTO and co-founder, PlainID
"When
it comes to internal breaches where networks are compromised, identity is still
the number one challenge. Organizations must adopt a "Zero Trust" approach,
which means trusting no one - not even known users or devices - until they have
been verified and validated. Access policies and dynamic authorizations are a
crucial part of the zero-trust architecture, as they help to verify who is
requesting access, the context of the request, and the risk of the access
environment.
Instead
of pouring more money into a shotgun approach to security, organizations need a
more focused strategy oriented on purchasing the highest reward tools. Identity
and authorization are where the smart money should be going. If we assume
hackers are already in the network, it makes sense to focus budgets on
technologies that restrict movement inside the network."
Jeannie
Warner, director of product marketing, Exabeam
"This
is a storybook case of the damage credentials in the wrong hands can cause.
Compromised credentials are often derived from a URL in a phishing message. A
carefully crafted message containing the malicious link is sent to an
unsuspecting employee. As soon as it's clicked, the cycle of information loss
and damage begins. Any company should aim to nip this problem early on by
identifying and alerting these malicious links.
There
are many public and commercial data providers that offer blacklisting services
or databases for potential phishing domains/URL lookups. However, like any
signature-based approach, newly-crafted phishing URLs cannot be identified this
way. New machine learning
approaches can actually flag a suspicious phishing URL previously unknown to
blacklist data providers and should be considered by frequently targeted
industries, such as technology and communications providers. Innovative
organizations need a modern approach to securing their environments in order to
spot these types of attacks quickly. To help achieve this, machine
learning-powered SIEM, automated investigation and response tools, and UEBA
technology should absolutely be part of their security stack."
Tim Prendergrast, CEO, strongDM
"The
DoorDash breach, along with those experienced by Twilio, Signal and more, that
gave hackers access to customers' data highlight how crucial strong access
management and infrastructure are to maintain strong security. Attackers are
relentlessly looking for ways into internal systems because it grants them a
VIP pass into databases, and servers and access to everything companies don't
want leaked publicly. Once attackers get those valid credentials, they can
wreak havoc internally. The first step here is, rather than point fingers,
because in truth this could have happened to anyone, that it is important for
CISOs to re-evaluate the visibility and control of access across both
applications and infrastructure."
Arti
Raman (She/Her), CEO & Founder, Titaniam
"Following
the recent Twilio phishing attack, attackers gained access to its systems after
tricking and stealing credentials from multiple employees targeted in the
phishing incident and then used the stolen credentials to gain unauthorized
access to information related to a limited number of Twilio customer accounts,
as well a multiple third party associates of Twilio, including most recently,
DoorDash. As this incident proved, despite security protocols put in place,
information can be accessed using privileged credentials, allowing access to
hackers to steal underlying data.
The most
effective solution for keeping customer PII safe and minimizing the risk of
extortion is data-in-use encryption, also known as encryption-in-use.
Encryption-in-use provides enterprises with unmatched immunity to data-focused
cyberattacks. Should adversaries gain access to data by any means, data-in-use
encryption keeps the sensitive information encrypted and protected even when it
is actively being utilized. This helps neutralize all possible data-related
leverage and dramatically limits the impact of a data breach."
Neil
Jones, director of cybersecurity evangelism, Egnyte
"The
alleged cyber-attack on delivery application DoorDash reminds us that an
organization's cybersecurity is only as strong as the security protection of
its third-party vendors. Here, we see how social engineering tactics and
suspicious network activity can lead to fraudulent account access and
ultimately impact a brand's reputation. The good news is that DoorDash did a
lot of the right things here: 1) Detecting the suspicious access quickly, 2)
Involving law enforcement agencies on a timely basis, 3) Providing rapid and
clear user disclosure, 4) Providing a dedicated call center number for impacted
parties and 5) Committing to make potential cybersecurity improvements in the
future. For all organizations, general cybersecurity awareness training,
anti-phishing education and restricting access to company data based on a
user's "Business Need to Know" are powerful deterrents to social
engineering attacks."
##