Food and retail delivery company DoorDash has confirmed a data breach that compromised consumers’ and business partners’ information after an employee fell victim to a social engineering attack.
“On October 25, 2025, our team identified a cybersecurity incident that involved an unauthorized third party gaining access to and taking certain user contact information, which varied by individual,” it stated.
Upon its discovery, the data breach prompted DoorDash to initiate an investigation involving external cybersecurity experts to determine its nature.
DoorDash confirms data breach from a social engineering attack
According to the company’s preliminary investigation results, the social engineering scam enabled attackers to access the information of consumers, delivery agents, also known as Dashers, and merchants. So far, the delivery giant has not determined the number of affected individuals.
While information varied by individual, it mainly included first and last names, physical addresses, phone numbers, and email addresses.
However, the social engineering attack did not enable the attackers to access sensitive personal information, such as Social Security Numbers, driver’s license numbers, or credit card information.
DoorDash also assured the victims that the attackers had not misused the stolen data to commit fraud or identity theft. However, there is no indication that the company plans to offer free identity theft protection or credit monitoring services to shield data breach victims from fraud.
In addition, while no sensitive information was leaked, fraudsters could use the leaked contact information, such as email addresses and phone numbers, to target victims with more compelling social engineering and phishing scams, leading to significant data breaches that could expose sensitive personal and financial information, such as credit card details and Social Security Numbers.
“Now this breach can be the spark for others as the breached data enables highly credible social engineering attacks,” said Kiran Chinnagangannagari, Chief Product & Technology Officer, Securin. “Bad actors can craft personalized phishing emails referencing specific delivery addresses, send convincing smishing messages posing as DoorDash support, or impersonate payment processors with disturbing familiarity.”
Subsequently, DoorDash advised victims to stay alert for unsolicited emails requesting personal information. They should also avoid clicking links, downloading, or opening attachments in suspicious emails, or entering their personal information on unfamiliar websites.
DoorDash also claimed it has deployed additional security systems, implemented further employee training, engaged external cybersecurity experts, and notified law enforcement.
“We have already taken steps to respond to the incident, including deploying enhancements to our security systems, additional training for our employees, bringing in a leading cybersecurity forensic firm to assist in our investigation of the issue, and notifying law enforcement for ongoing investigation,” DoorDash explained.
Meanwhile, DoorDash has yet to disclose the identity of the threat actor and the compromised management information system.
DoorDash operates in the United States, Canada, Australia, and New Zealand. However, the social engineering attack appeared to affect only its North American operation, particularly Canada. Similarly, Wolt and Deliveroo, DoorDash’s other delivery platforms, were unaffected.
“What is most troubling about this incident is the breach vector itself,” continued Kiran. “The vulnerability of a single employee to social engineering compromised millions of users’ data, underscoring a critical reality: technical controls alone cannot eliminate the human element as a security risk. This serves as a stark reminder that the ‘Human Firewall’ is cracking under the pressure of AI-enhanced social engineering. This is a systemic, industry-wide challenge as cybercriminals increasingly shift from targeting technical infrastructure to targeting people.”
DoorDash past data breaches
DoorDash has experienced similar data breaches in the past six years. In 2019, the delivery platform suffered a third-party data breach, which leaked the names, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords of over 4.9 million customers.
In 2022, DoorDash was among dozens of organizations affected by the Twilio data breach, which leaked the names, phone numbers, and email addresses of customers and employees. For some customers, the data breach also exposed their delivery addresses, basic order details, and the last four digits of their credit cards.
