DoorDash hit by data breach after an employee falls for social engineering scam

DoorDash, the popular food delivery company, is once again dealing with a public relations issue following a data breach where an unauthorised person, reportedly, stole key contact details from users, delivery drivers, and merchants.

The company’s internal security team first detected the issue on October 25, 2025. Upon further investigation, the team found that the security lapse happened after one of their employees was tricked in a social engineering scam.

For your information, social engineering is simply a trick where criminals manipulate a person into giving up private information or allowing access to systems, which helps them bypass technical security measures. In this case, the attacker gained access before DoorDash’s response team could stop them.

****What Information Was Taken?****

DoorDash has confirmed that the information stolen includes full names, physical addresses, email addresses, and phone numbers. This incident affected people across the company’s operating regions, including the US, Canada, Australia, and New Zealand. DoorDash has also assured recipients that, currently, they have no evidence that the stolen data has been used for fraud or identity theft.

While the company was quick to state that no sensitive information, like credit card numbers, Social Security numbers, or driver’s license details, was taken, this claim has met with criticism. As we know it, having a person’s name, email, and phone number together is often enough for criminals to launch very believable phishing and smishing attacks. Users are also concerned that their home addresses were accessed.

****Delay in Notification****

It is worth noting that while the breach was found on October 25, customers only started receiving email warnings on November 13. This delay in telling affected users has led to frustration, with some questioning if the company followed data breach laws and even threatening to take legal action. Affected users have taken to platforms like X (formerly Twitter) to share the email notices they received.

Just in: DoorDash breached…

“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”

Next paragraph:

“No sensitive information was accessed”

🤦‍♂️ pic.twitter.com/1xOXtjnOfT

— Kostas (@Kostastsale) November 13, 2025

DoorDash has responded by saying they are improving their security systems, increasing employee training on scams like phishing and social engineering, and have hired a leading third-party cybersecurity forensics firm to help with their investigation. They also referred the matter to law enforcement.

This is the third major security failure for the delivery company since 2019. Previously, Hackread.com covered a similar attack in August 2022 that affected customer and Dasher data after a different third-party vendor was compromised.

(Photo by Marques Thomas on Unsplash)