DoorDash is grappling with a significant data breach that occurred after an employee was deceived by a social engineering scam. The breach was detected by the company’s internal security team on October 25, 2025, revealing that unauthorized access had allowed an attacker to steal crucial contact information from users, delivery drivers, and merchants.
The social engineering tactic involved manipulating the employee into divulging private information, which enabled the attacker to bypass DoorDash’s technical security measures. As a result, sensitive data was compromised before the company’s response team could intervene.
Stolen Information and User Impact
DoorDash has confirmed that the stolen data includes full names, physical addresses, email addresses, and phone numbers. This incident affects individuals across the company’s operational regions, including the United States, Canada, Australia, and New Zealand. While DoorDash has stated that no sensitive financial information, such as credit card numbers or Social Security numbers, was taken, concerns remain.
Critics highlight that having a person’s name, email, and phone number can be sufficient for criminals to launch convincing phishing and smishing attacks. Additionally, the access to home addresses raises alarms among users regarding potential privacy violations.
Delayed Notification Raises Concerns
Notably, the company did not notify customers about the breach until November 13, 2025, nearly three weeks after the initial detection. This delay has led to frustration among affected users, prompting some to question whether DoorDash adhered to data breach notification laws. There have even been threats of legal action from individuals who feel inadequately informed.
Users have taken to social media platforms, including X (formerly Twitter), to express their dissatisfaction and share the email notifications they received from the company. In response to these concerns, DoorDash has committed to enhancing its security measures. This includes increasing employee training on scams like phishing and social engineering, and engaging a leading third-party cybersecurity forensics firm to assist with the ongoing investigation. The company has also referred the matter to law enforcement agencies.
This incident marks the third significant security breach for DoorDash since 2019. Previous breaches have included a similar attack in August 2022, when customer and Dasher data was compromised due to a vulnerability in a third-party vendor’s system, as reported by Hackread.com.
As DoorDash navigates the fallout from this incident, the company faces the dual challenge of restoring user trust while bolstering its cybersecurity protocols to prevent future breaches.
