Data Delivered into the Wrong Hands: DoorDash Hit by Data Breach
November 18th, 2025
❓What:
On October 25, 2025, delivery service DoorDash identified that an unauthorized third-party gained access to some internal systems after one of its employees fell victim to a social-engineering attack.
The adversary accessed various records containing personally identifiable information (PII) of users (consumers), delivery workers (Dashers), and merchants across several countries. Data exposed includes first & last names, email addresses, phone numbers, and physical addresses.
DoorDash states that no payment card information, banking details, Social Security numbers or other highly sensitive identity documents were accessed.
⚠️Impact:
Exposure of PII increases risk of phishing, targeted social-engineering, account takeover attempts, and spam. Even though only "basic" PII was exposed, such data is valuable for threat actors.
The breach affects multiple stakeholder groups (customers, employees, merchants), broadening the scope of risk and potential harm (both trust/reputation and operational) for DoorDash.
The fact the incident was caused through social engineering highlights continuing human-factor vulnerability, which may drive regulatory scrutiny, internal audit pressures, and insurance premium impacts. Additionally, delayed or partial notification (users citing 19 days delay) may exacerbate reputational damage.
💡Recommendations:
For the Organization:
Strengthen employee training on social engineering (phishing, impersonation, etc.) and run regular penetration testing engagements simulating various social engineering attacks.
Enforce stronger access controls, segmentation, and monitoring around internal systems that contain user PII; apply the principle of least privilege and Zero-Trust Network Access.
Review incident-response and notification processes to ensure timely disclosure and clear communication to all potentially impacted parties and stakeholders.
Incorporate social engineering and human-factor vulnerabilities into your threat modelling and control assessments.
For the End User:
Be vigilant for phishing and impersonation attempts (via email, SMS or phone) that may attempt to impersonate DoorDash or other services referencing your account.
Change passwords for associated accounts, especially if reused elsewhere; enable multi-factor authentication (MFA) where supported.
Monitor accounts and communications for suspicious activity (unauthorized orders, login notices, unexpected calls/texts).
With increased sophistication in social engineering campaigns, consider using unique email addresses or aliasing and avoid sharing or verifying personal data unless absolutely required.
Read the full article HERE