DoorDash hit by yet another data breach this October

DoorDash has disclosed a data breach that hit the food delivery platform this October.

Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly disclosed security incident.

Your personal information affected

“On October 25, 2025, our team identified a cybersecurity incident that involved an unauthorized third party gaining access to and taking certain user contact information, which varied by individual,” states the email notification from DoorDash.

The information may have included:

• First and last name
• Physical address
• Phone number
• Email address

“Our investigation has since confirmed that your personal information was affected.”

The incident has been traced to a DoorDash employee falling victim to a social engineering scam. Upon becoming aware, the company’s incident response team shut down the unauthorized party’s access, started an investigation, and referred the matter to law enforcement. 

This marks the third notable security incident suffered by the delivery giant.

In 2019, a data breach at DoorDash had exposed the information of roughly 5 million customers, Dashers and merchants to an unauthorized party.

In August 2022, DoorDash suffered another data breach from the threat actors who had also attacked Twilio that year.

La traduction française suit

What’s interesting is that a French translation of the notice is appended to these emails:

At this time, it appears that the emails primarily went to DoorDash Canada users (including myself). We are yet to confirm if the breach also impacts users based in the US and other regions where DoorDash operates.

However, an undated security advisory posted on DoorDash’s website includes wording that suggests the incident may extend beyond Canada, including references to US-specific data types, like Social Security Numbers (SSNs), which DoorDash says were not accessed. (Canadian counterpart would have been Social Insurance Numbers (SINs))

BleepingComputer has approached the DoorDash press team with additional questions to seek clarification on the matter.

‘Took 19 whole days’

Some users on social media have rebuked DoorDash, questioning the company’s handling of the incident and the timing of the notifications.

“I’m sorry – if this isn’t sensitive information, what is? Don’t downplay this just because they didn’t get credit card or password information. It’s gone deaf,” posted Chris from Toronto.

Cybersecurity professional Kostas T. also reacted to the email’s phrasing, expressing that the statement “no sensitive information was accessed” conflicted with the personal information that the company acknowledged was accessed.

“DoorDash took 19 whole days to notify me of a data breach that has leaked my personal information. Thankfully I used a fake name and forwarded email address for my account, but my real phone number and physical address have been leaked,” wrote X user itsohqay.

“This is incredibly unprofessional, dangerous, and potentially illegal behaviour from DoorDash… This process violates Canadian data breach law. I’ll be filing a case against DoorDash in provincial small claims court and making a complaint to the Office of the Privacy Commissioner of Canada.”

Users should be wary of unsolicited communications or targeted phishing emails appearing to originate from DoorDash. 

DoorDash warns that you should avoid clicking on links or attachments within suspicious emails, and to refrain from providing any personal information to unfamiliar websites.

“We have already taken steps to respond to the incident, including deploying enhancements to our security systems, implementing additional training for our employees, bringing in a leading cybersecurity forensic firm to assist in our investigation of this issue, and notifying law enforcement for ongoing investigation,” states the company.

DoorDash users with questions related to the incident can further call the toll-free number +1-833-918-8030  and cite reference code: B155060.

BleepingComputer awaits response from DoorDash on the exact scope of the incident.