DoorDash has confirmed a data breach that exposed contact information for an undisclosed number of users. The company identified unauthorized access on October 25 after detecting suspicious activity involving an employee account. According to the company’s disclosure, the incident involved a third party who gained access to internal systems through a targeted social engineering scam.
The company said this method allowed the attacker to obtain limited user data before access was removed. DoorDash has not released specific technical details about the intrusion method beyond the reference to social engineering tactics.
Notifications sent to affected users state that exposed data varies by individual. The information may include names, email addresses, phone numbers, and physical addresses. DoorDash said the breach did not involve Social Security numbers, government-issued identification numbers, payment card information, or bank account details. The company added that it has no evidence of fraudulent activity linked to the incident. While the data set is limited to contact details, security analysts note that this category of information can still be used to enable phishing or other forms of targeted scams if misused by threat actors.
DoorDash reported that the breach affected customers, delivery workers known as Dashers, and merchants. The company is notifying impacted individuals directly through email and in-app messaging. Although the scale of the breach has not been disclosed, DoorDash said the affected group represents only a subset of its user base. The company advised recipients of notification letters to review the details carefully and to follow the recommended steps for account security. DoorDash also encouraged users to remain cautious about incoming messages that request personal information or seek to redirect them to unfamiliar websites.
Investigation and company response
Following the discovery of the incident, DoorDash launched an internal investigation supported by an external cybersecurity firm. The company said the initial priority was terminating the unauthorized access and securing affected systems. The investigative team is working to understand what information was viewed and for how long the attacker had access. DoorDash has shared findings with law enforcement and stated that it is cooperating with officials overseeing the inquiry. As of now, the company has not attributed the attack to a specific group.
DoorDash stated that it is implementing new security measures to reduce the likelihood of similar incidents in the future. These steps include expanded employee training focused on recognizing and reporting social engineering attempts. The company said it is strengthening processes used to verify identity during internal support interactions. Additional technical safeguards are also being added, although DoorDash did not specify which controls are being deployed. The company noted that these changes are part of a broader effort to improve the protection of user data across its platform.
While this incident did not involve financial information, DoorDash recommended that users monitor their accounts for unusual activity. Customers, Dashers, and merchants were advised to review recent communications and to be cautious when receiving emails, texts, or phone calls that appear to originate from DoorDash but request personal information. Security specialists commonly warn that stolen contact data can be used to craft convincing phishing messages that imitate official communications. DoorDash said it will continue providing updates to affected individuals as the investigation moves forward.
This breach follows earlier incidents reported by the company. In 2022, DoorDash disclosed a breach linked to a phishing campaign targeting a third-party vendor that exposed personal information for a subset of users. In 2019, the company confirmed a separate incident that affected more than four million customers, Dashers, and merchants. DoorDash said lessons from previous events have informed its current security improvements and that the company is working to maintain transparency during the investigative process.