ShinyHunters Allegedly Breaches Woflow, Highlighting Growing SaaS Supply Chain Risks The threat group ShinyHunters (tracked as UNC6040) has claimed responsibility for breaching Woflow, a third-party SaaS provider with reported customers including Uber, DoorDash, and Walmart. The attackers allege they exfiltrated hundreds of millions of records, though no public data sample has been released as of March 14, 2026, and Woflow has not issued a public response. This incident underscores a broader shift in SaaS attacks, where threat actors increasingly target integration-heavy vendors to gain downstream access to multiple enterprises. Rather than breaching organizations individually, attackers exploit OAuth tokens, API connections, and non-human identities to move laterally across interconnected SaaS ecosystems. Similar tactics were observed in previous breaches, such as the Salesloft/Drift and Salesforce attacks, reflecting a structural evolution in SaaS-focused cybercrime. ShinyHunters has refined a financially motivated playbook, leveraging trusted third-party integrations to compromise data at scale before publicly naming victims. In extortion-driven campaigns, attackers often provide proof of compromise directly to victims before releasing data, with delays potentially indicating ongoing negotiations. The group has previously set deadlines for data leaks, mirroring its 2025 Salesforce breach tactics claiming the breach, issuing ultimatums, and releasing data in waves to pressure targets. The attack surface for SaaS supply chain threats has expanded due to widespread reliance on OAuth permissions, API tokens, and service accounts. These integrations often operate with elevated privileges, creating persistent vulnerabilities. Over-permissioned OAuth scopes, long-lived tokens, and inherited permissions from privileged users further exacerbate risks, as traditional security controls like MFA and SSE solutions fail to address application-layer threats. A key challenge is the visibility gap in SaaS security. Many organizations assume sanctioned applications are secure after initial compliance audits, but dynamic SaaS environments where configurations, integrations, and permissions frequently change require continuous monitoring. Research indicates that 89% of compromised organizations believed they had adequate visibility at the time of an incident, highlighting the limitations of periodic audits. Integration-rich vendors are prime targets because a single compromise can provide access to multiple downstream enterprises. These vendors often aggregate sensitive data, maintain API access across tenants, and operate standardized integration models, making them efficient vectors for large-scale attacks. ShinyHunters has claimed over 1.5 billion records across hundreds of companies in past campaigns, demonstrating the financial incentive behind this approach. To mitigate such risks, security strategies must prioritize continuous SaaS posture management, strict governance of third-party OAuth permissions, and least-privilege enforcement for non-human identities. Short token lifetimes, rapid revocation mechanisms, and behavioral monitoring for anomalous activity are critical to detecting and preventing API-level breaches. As SaaS ecosystems grow more complex, organizations must shift from static compliance checks to operational, identity-centric security practices to address evolving supply chain threats.

DoorDash experienced a data breach affecting 4.9 million customers, drivers (Dashers), and merchants after an attacker exploited credentials from a third-party vendor to gain unauthorized access. Exposed data included names, email addresses, phone numbers, delivery addresses, order history hashes, and the last four digits of payment cards for Dashers. While no full financial details, SSNs, or government IDs were compromised, the leaked contact information heightens risks of targeted phishing, smishing (SMS scams), and vishing (voice fraud), with attackers potentially impersonating DoorDash support or merchants. The breach originated from social engineering, tricking an employee into divulging access credentials. DoorDash blocked the intrusion, engaged law enforcement, and began notifying affected users, though no direct fraud or identity theft has been confirmed yet. The incident underscores vulnerabilities in supply chain attacks and the persistent threat of human manipulation in breaches.

In November 2025, DoorDash confirmed a data breach resulting from a social engineering attack targeting an employee. The attacker successfully manipulated the employee into divulging legitimate credentials, granting unauthorized access to internal systems. While DoorDash detected and contained the intrusion on October 25, the attackers had already exfiltrated personal contact information of customers, Dashers, and merchants—including names, physical addresses, email addresses, and phone numbers. Although no highly sensitive data (e.g., Social Security numbers, driver’s licenses, or payment card details) was compromised, the stolen information poses a significant risk for follow-on attacks such as spear phishing and vishing. The breach underscores the vulnerability of human elements in cybersecurity, emphasizing the need for AI-driven threat detection to mitigate dwell time and prevent data theft from compromised identities.

A DoorDash employee was targeted in a social engineering scam, leading to unauthorized access to some customer data. While the breach exposed personal information, officials confirmed that no ID numbers (e.g., Social Security numbers) or payment details were compromised. The incident highlights vulnerabilities in employee training and susceptibility to phishing or manipulation tactics, which allowed threat actors to bypass security measures. The exposed data may include names, email addresses, or delivery-related information, but the lack of financial or highly sensitive identifiers reduces the immediate risk of identity theft or fraud. However, the breach still poses reputational harm and potential follow-on attacks, such as targeted phishing campaigns against affected customers. DoorDash has not disclosed the exact number of impacted users, but the incident underscores the ongoing risks of human error in cybersecurity defenses.

A vulnerability in DoorDash’s systems allowed threat actors to exploit an unpatched flaw in the DoorDash for Business platform, enabling them to send fully branded, official-looking emails from [email protected] by injecting arbitrary HTML into the 'Budget name' input field. This created a highly convincing phishing channel, as emails bypassed spam filters and appeared legitimate. The flaw, reported by a researcher in July 2023, remained unpatched for over 15 months due to disputes over disclosure ethics and financial demands. While no direct data breach or internal system access occurred, the vulnerability posed a significant reputational and financial risk by facilitating large-scale phishing attacks targeting customers, merchants, or arbitrary recipients. The company eventually patched the issue in November 2024 after public pressure, but the researcher was banned from DoorDash’s bug bounty program amid accusations of extortion. The incident highlights tensions between responsible disclosure and corporate response protocols in cybersecurity.

Food delivery firm DoorDash suffered a data breach exposing customer and employee data that was compromised in a cyberattack on Twilio. The threat actor gained access to the company's internal tools using stolen credentials from a third-party vendor that had access to their systems. As a response, they disabled the vendor's access to their system and contained the incident. The exposed information included the names, email addresses, delivery addresses, and phone numbers of consumers. In addition, for a small subset of customers, the hackers accessed basic order information and partial credit card information, including the card type and the last four digits of the card number.

DoorDash suffered a data breach after an unauthorized user gained access to the personal information of 4.9 million consumers, Dashers, and merchants. The exposed information included email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords, last four digits of their credit cards or bank accounts consumers, dashers, and merchants. The company notified all the affected individuals through the mail.

In October 2025, DoorDash suffered a sophisticated social engineering attack where an unauthorized third party tricked an employee into granting access to internal systems. The breach compromised personal information—including names, email addresses, phone numbers, and physical addresses—of an unspecified number of customers, delivery workers (Dashers), and merchants. While DoorDash claimed no 'sensitive' data (e.g., credit cards, SSNs, passwords) was exposed, the leaked details pose risks for phishing, identity theft, and targeted scams. The incident mirrors past breaches (2019: 5M users; 2022: driver license numbers), highlighting persistent vulnerabilities in employee training and third-party risk management. The company offered free credit monitoring but faced criticism for reactive measures. The breach underscores systemic gaps in the gig economy’s cybersecurity, with potential reputational damage, regulatory scrutiny, and heightened risks for affected users (e.g., Dashers’ physical safety).

The California Office of the Attorney General reported on September 27, 2019, that DoorDash, Inc. experienced a data breach on May 4, 2019, involving unauthorized access to user data. Approximately 41,740 California residents were affected, with compromised information including names, email addresses, phone numbers, hashed passwords, and driver's license numbers.

Food delivery startup DoorDash customer's accounts have been hacked. Dozens of people have tweeted that their accounts had been improperly accessed and had fraudulent food deliveries charged to their account. The hackers changed their email addresses. There has been no data breach and that the likely culprit was credential stuffing, in which hackers take lists of stolen usernames and passwords and try them on other sites that may use the same credentials.