DoorDash Discloses October Data Breach From Social Engineering Scam, Starts Notifying Users
Published
Key Takeaways
- Breach cause: DoorDash has confirmed a data breach resulting from a social engineering scam that successfully targeted one of its employees.
- Data exposed: The incident exposed non-financial personal information, including names, email addresses, phone numbers, and physical addresses.
- Company response: DoorDash has notified affected users, involved law enforcement, and is implementing enhanced security protocols and employee training.
DoorDash has begun notifying users about a recent cybersecurity incident that exposed the personal information of some customers, delivery drivers (Dashers), and merchants. The company confirmed that the DoorDash data breach occurred on October 25, 2025, after an employee fell victim to a targeted social engineering scam.
This allowed an unauthorized third party to gain access to certain internal systems.
Scope of the Data Breach
According to the company's official notice, more sensitive data, such as payment card information, bank account details, Social Security numbers, or government-issued IDs, were not compromised in the incident.
The accessed information includes:
- names,
- email addresses,
- phone numbers,
- physical addresses.
The breach did not affect users of the company's Wolt or Deliveroo platforms. DoorDash has stated that, at this time, there is no indication that the exposed personal information has been misused for fraud or identity theft.
DoorDash Cybersecurity Measures and Response
In response to the breach, DoorDash has taken several steps to bolster its defenses and safeguard customer data security. The food delivery giant stated that it immediately revoked the unauthorized access upon discovery and launched an investigation into the matter.
It also referred the incident to law enforcement for investigation and engaged an external cybersecurity firm to assist in its response.
Internally, DoorDash is reinforcing its cybersecurity measures by deploying enhancements to its security systems and implementing additional training and awareness programs to help employees better identify and prevent social engineering attacks.
On November 14, a 2021 lawsuit alleging deceptive business practices involving hidden fees, tipping practices, and unauthorized restaurant listings resulted in an $18 million settlement.
The cybercriminal landscape is shifting towards advanced social engineering lately, a characteristic of the new Scattered LAPSUS$ Hunters Extortion-as-a-Service cybercriminal alliance as well.
J. Stephen Kowski, Field CTO at SlashNext Email Security+, emphasized that attackers are targeting the human element “because it’s often the weakest link in security chains.”
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular