I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.
The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.
I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.
The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.