DoorDash Says Relax, Data Breach Only Exposed Names, Phones, Emails & Addresses

by Aaron Leong — Friday, November 14, 2025, 10:57 AM EDT

Food delivery giant DoorDash has once again come under negative limelight, this time with a massive data breach stemming from a sophisticated social engineering attack that targeted one of its employees in October. The incident allowed an unauthorized third party to gain access to and exfiltrate key contact information belonging to a mix of consumers, delivery drivers ("Dashers"), and merchants across its operating regions, including the U.S., Canada, Australia, and New Zealand. This latest breach is DoorDash's third major security failing since 2019 for anyone keeping count.

The attack was first identified by the company’s internal security team on October 25, and traced back to an internal employee who was tricked into compromising their credentials. Social engineering, the dark art of manipulating individuals into performing actions or divulging confidential information, remains a highly effective tactic for threat actors seeking to bypass complex technical defenses. In this case, the manipulation allowed the attackers to harvest personal records before DoorDash’s incident response team could successfully shut down the threat actor's access.

The compromised data varies by individual, but essentially includes full names, physical addresses, email addresses, and phone numbers. DoorDash was quick to assure affected parties that "no sensitive information," such as payment card numbers, social security numbers, or driver's license data, was accessed. However, you can probably see how this assertion has been met with harsh criticism from users and cybersecurity professionals for downplaying the risk. How are contact details, especially email addresses and phone numbers coupled with real names, not consider sensitive information? This trifecta is a usually sufficient foundation to launch highly targeted and convincing phishing, smishing, and scam campaigns. Plus, it's unsettling that hackers also gained access to home addresses.

@DoorDash I'm sorry - if this isn't sensitive information, what is? Don't downplay this just because they didn't get credit card or password information. It's gone deaf. pic.twitter.com/ejeNH3GcvE
— Chris (@csmithson85) November 13, 2025

Adding to the public outcry is the significant delay in notification. Although the company identified the breach on October 25, impacted users did not begin receiving email warnings until November 13. Not a good look, DoorDash. While some users are questioning the company's compliance with data breach laws and threatening legal action, the bigger picture shows the company's failure to prioritize customer safety following a pattern of repeat security incidents.

In response to the incident, DoorDash has since initiated a series of mitigation and remediation steps. These include implementing enhancements to its security systems, reiterate employee training programs focused on identifying and resisting phishing and social engineering scams, plus hiring a leading third-party cybersecurity forensics firm to assist with the investigation.

Tags: Computing, hacked, data-breach, doordash

Aaron Leong

Tech enthusiast, YouTuber, engineer, rock climber, family guy. 'Nuff said.