DoorDash, the well-known food delivery service, has reported a significant data breach affecting its users, delivery drivers, and merchants. The company’s internal security team identified the breach on October 25, 2025, revealing that an unauthorized individual accessed sensitive contact information following a social engineering attack on one of its employees.
Social engineering involves manipulating individuals into divulging confidential information or granting access to secure systems. In this instance, the attacker successfully gained access to DoorDash’s systems before the company’s security response team could intervene.
Details of the Breach
DoorDash confirmed that the compromised data includes full names, physical addresses, email addresses, and phone numbers. This incident has affected individuals across the company’s operational regions, including the US, Canada, Australia, and New Zealand. While the company reassured users that no sensitive financial information, such as credit card numbers or Social Security numbers, was accessed, the nature of the stolen data has raised concerns.
Experts indicate that possessing a person’s name, email, and phone number can be sufficient for criminals to initiate convincing phishing and smishing attacks. Additionally, the unauthorized access to home addresses has left users feeling vulnerable.
Delayed Notifications and User Response
Although the breach was first detected on October 25, DoorDash did not notify affected customers until November 13. This delay has frustrated many users, prompting questions about whether the company complied with data breach notification laws. Some individuals have even threatened legal action in response to the situation.
Affected users have taken to social media platforms to share the email notifications they received from DoorDash. In an effort to address the fallout, the company has stated it is enhancing its security measures. This includes increasing employee training on recognizing scams such as phishing and social engineering, as well as collaborating with a leading third-party cybersecurity forensics firm to conduct a thorough investigation into the breach. DoorDash has also referred the matter to law enforcement.
This incident marks the third major security breach for DoorDash since 2019. A previous incident, reported by Hackread.com in August 2022, involved a different third-party vendor that compromised customer and delivery driver data. The company continues to face scrutiny regarding its data security practices and the effectiveness of its response to these incidents.
