DoorDash Data Breach Exposes User Info in October
▼ Summary
– DoorDash experienced a data breach in October 2025, where an unauthorized third party accessed user contact information.
– The breach resulted from a social engineering scam targeting a DoorDash employee, prompting the company to shut down access and involve law enforcement.
– Impacted information included names, addresses, phone numbers, and email addresses, affecting consumers, Dashers, and merchants, but the exact number of users was not disclosed.
– Users criticized the 19-day delay in notification and questioned the company’s handling, with some considering legal action for potential violations of data breach laws.
– DoorDash has implemented security enhancements, employee training, and a forensic investigation, advising users to be cautious of phishing attempts.
A significant data breach at DoorDash has compromised user information, with the food delivery service confirming unauthorized access to customer data this October. The company, which operates across the United States, Canada, Australia, and New Zealand, began notifying affected individuals via email starting yesterday evening.
According to DoorDash, the security incident was detected on October 25, 2025, when an unauthorized third party obtained certain user contact details. The specific information exposed varies by individual but can include first and last names, physical addresses, phone numbers, and email addresses. In official communications, DoorDash confirmed, “Our investigation has since confirmed that your personal information was affected.”
The breach resulted from a social engineering attack that successfully targeted a DoorDash employee. Upon discovery, the company’s incident response team immediately revoked the unauthorized access, launched an internal investigation, and contacted law enforcement agencies. While DoorDash has not disclosed the total number of users impacted, the breach is known to involve a combination of consumers, delivery drivers (Dashers), and merchants.
This marks the third major security incident for DoorDash in recent years. In 2019, a breach exposed data belonging to approximately five million customers, Dashers, and merchants. Then, in August 2022, the company experienced another incident linked to threat actors who had also targeted communications provider Twilio.
Notably, email notifications included a French translation of the security notice, suggesting initial recipients were primarily located in Canada. However, an advisory posted on DoorDash’s website implies a potentially broader impact, referencing U.S.-specific data categories such as Social Security Numbers. The company clarified that sensitive data like SSNs or SINs were not accessed in this incident.
Many users have expressed frustration over the 19-day delay between detection and notification. One Toronto-based customer criticized the company for downplaying the severity, stating that exposed contact details still constitute sensitive information. Another individual reported planning to take legal action, alleging that DoorDash’s handling of the breach may violate Canadian privacy laws.
In response, DoorDash is urging users to remain vigilant against phishing attempts and unsolicited communications. The company advises against clicking links or opening attachments in suspicious emails and recommends not sharing personal information on unfamiliar websites.
DoorDash says it has already implemented security improvements, provided additional employee training, and enlisted a leading cybersecurity forensics firm to assist with the investigation. Affected users with questions can contact the company’s dedicated support line at +1-833-918-8030 and reference code B155060. The full scope of the breach, including whether U.S. or other international users are affected, remains under review.
(Source: Bleeping Computer)
