Food-delivery giant DoorDash has disclosed a newly identified data breach that occurred in late October, marking yet another security setback for the company and raising fresh concerns about breach notification timelines and user privacy.
According to notices emailed to affected users this week, DoorDash detected unusual activity on October 25, 2025 and later confirmed that an unauthorized party accessed certain types of customer and partner data.
What information was exposed?
DoorDash states that the attacker gained access to contact-level information, which differs for each individual but may include:
-
Full name
-
Physical address
-
Phone number
-
Email address
The company stressed that no passwords or financial information were accessed. However, many cybersecurity professionals and users argue that contact information is highly sensitive, as it can be used for harassment, targeted scams, or identity-verification attacks.
DoorDash confirmed in its notification:
“Our investigation has since validated that your personal information was impacted.”
How the breach occurred
DoorDash reports that the intrusion stemmed from a social engineering scheme that successfully targeted one of its employees. Once the threat actor obtained access, they exfiltrated specific user information before DoorDash’s security team cut off the unauthorized connection.
The company says it launched an internal investigation, engaged a third-party forensics firm, and notified law-enforcement agencies shortly after discovering the activity. DoorDash has not disclosed the scale of the incident or how many consumer, merchant, or Dasher accounts were affected.
A pattern of recurring incidents
This latest breach adds to a concerning timeline of security events at DoorDash:
-
2019: A major breach exposed personal details of approximately 5 million customers, Dashers, and merchants.
-
August 2022: DoorDash was again compromised after threat actors infiltrated systems by targeting employees via the same campaign that hit Twilio.
The October 2025 incident marks the company’s third significant security lapse in six years.
Canadian users hit hardest—but not exclusively
Many of the notifications appear to have been sent to users in Canada, and DoorDash even appended a full French translation to its email notice. However, a security advisory posted to DoorDash’s public site references U.S.-specific identifiers, such as Social Security Numbers, which the company claims were not accessed.
That broader advisory suggests the breach may not be limited to Canadian accounts. DoorDash has not yet answered questions about whether customers in the U.S., Australia, or New Zealand were also impacted.
Criticism over delayed disclosure
DoorDash is now facing pushback from users and security experts who question why it took 19 days to notify affected individuals—especially those in Canada, where breach notification laws require prompt disclosure.
On social media, Toronto resident Chris criticized the language of the notice:
“If this isn’t sensitive information, what is? Don’t minimize the severity because credit card numbers weren’t taken.”
Cybersecurity professional Kostas T. echoed this sentiment, arguing that DoorDash’s disclaimer that “no sensitive information” was exposed contradicts the confirmed leak of names, addresses, and phone numbers.
One affected user wrote:
“DoorDash took 19 days to inform me. I used a fake name and disposable email, but my real phone number and address are now out there. I’ll be filing complaints with the Privacy Commissioner.”
DoorDash’s guidance to users
DoorDash advises customers to:
-
Be alert for phishing emails or texts purporting to be from DoorDash
-
Avoid clicking unexpected links
-
Decline requests for personal information from unfamiliar websites or senders
The company says it has strengthened its internal security controls, expanded employee awareness training, and is continuing to cooperate with investigators.
Users who received a notification can contact DoorDash for additional information at 1-833-918-8030, referencing case ID B155060.
Security-Breaches.com Analysis
This breach underscores how a single successful social engineering attack can compromise large datasets, even at organizations with established security programs. While DoorDash claims financial data was not accessed, the combination of names, addresses, and phone numbers is more than enough to enable convincing spear-phishing and location-based scams.
The delay in disclosure may also draw the attention of Canadian regulators given mandatory breach notification obligations under federal privacy law.
Security-Breaches.com will continue to monitor the situation and update readers as more details emerge.
0 Comments