DoorDash, the popular food delivery company, is once again dealing with a public relations issue following a data breach where an unauthorised person, reportedly, stole key contact details from users, delivery drivers, and merchants.
The company’s internal security team first detected the issue on October 25, 2025. Upon further investigation, the team found that the security lapse happened after one of their employees was tricked in a social engineering scam.
For your information, social engineering is simply a trick where criminals manipulate a person into giving up private information or allowing access to systems, which helps them bypass technical security measures. In this case, the attacker gained access before DoorDash’s response team could stop them.
What Information Was Taken?
DoorDash has confirmed that the information stolen includes full names, physical addresses, email addresses, and phone numbers. This incident affected people across the company’s operating regions, including the US, Canada, Australia, and New Zealand. DoorDash has also assured recipients that, currently, they have no evidence that the stolen data has been used for fraud or identity theft.
While the company was quick to state that no sensitive information, like credit card numbers, Social Security numbers, or driver’s license details, was taken, this claim has met with criticism. As we know it, having a person’s name, email, and phone number together is often enough for criminals to launch very believable phishing and smishing attacks. Users are also concerned that their home addresses were accessed.
Delay in Notification
It is worth noting that while the breach was found on October 25, customers only started receiving email warnings on November 13. This delay in telling affected users has led to frustration, with some questioning if the company followed data breach laws and even threatening to take legal action. Affected users have taken to platforms like X (formerly Twitter) to share the email notices they received.
DoorDash has responded by saying they are improving their security systems, increasing employee training on scams like phishing and social engineering, and have hired a leading third-party cybersecurity forensics firm to help with their investigation. They also referred the matter to law enforcement.
This is the third major security failure for the delivery company since 2019. Previously, Hackread.com covered a similar attack in August 2022 that affected customer and Dasher data after a different third-party vendor was compromised.
(Photo by Marques Thomas on Unsplash)