DoorDash has confirmed a new data breach affecting customers, delivery workers, and merchants after an attacker accessed user contact information in late October. The company began notifying impacted individuals on Thursday evening, marking DoorDash’s third major security incident in recent years.
According to the email notice, DoorDash detected the intrusion on October 25, 2025, after identifying that an unauthorized party had accessed and exfiltrated certain user data. The company stated that the information exposed varied by individual but may include full names, physical addresses, phone numbers, and email addresses.
“We have since confirmed that your personal information was affected,” the notification said.
Social Engineering Attack Behind the Breach
DoorDash traced the incident back to a successful social engineering scam targeting one of its employees. The attacker gained access using compromised credentials, after which DoorDash’s security team terminated the unauthorized session, launched an internal investigation, and alerted law enforcement.
The company has not disclosed how many people were affected. However, the impacted group includes consumers, Dashers, and merchants across the regions where DoorDash operates.
This breach adds to DoorDash’s history of security incidents. In 2019, roughly five million users had their data exposed. Another breach followed in 2022, linked to threat actors who also compromised Twilio that same year.
Questions Over Notification Timing and Regional Impact
A notable feature of the recent notices is the inclusion of a French-language translation. Most affected users identified so far appear to be in Canada. However, a security advisory published on DoorDash’s website references U.S.-specific identifiers, such as Social Security Numbers, which the company says were not accessed. That detail raises the possibility that the incident extends beyond Canada, a question BleepingComputer has asked the company to clarify.
Some recipients criticized the nearly three-week delay between the incident and notification. Several users took to social media to question DoorDash’s phrasing that “no sensitive information was accessed,” arguing that physical addresses and phone numbers are indeed sensitive and can be exploited in phishing or social engineering schemes. One Canadian user stated they intend to file complaints both in small claims court and with the Office of the Privacy Commissioner of Canada.
Increased phishing risks for DoorDash customers
Security experts warn that exposed contact information can fuel targeted phishing campaigns. Attackers may impersonate DoorDash to trick users into clicking fraudulent links or revealing additional personal details. DoorDash is urging customers to avoid interacting with suspicious messages and to verify communications through official channels.
The company said it has deployed additional security controls, brought in a cybersecurity forensic firm, and expanded employee training following the incident. It has also opened a dedicated hotline for inquiries at +1-833-918-8030, referencing case code B155060.
