DoorDash, a leading food delivery platform, experienced a significant data breach in October 2025 due to a **social engineering attack** where a scammer manipulated an employee into granting unauthorized access to company systems. The breach exposed **personal information of millions of customers**, including **names, addresses, phone numbers, and email addresses**—though no financial data (e.g., credit card numbers or Social Security numbers) was compromised. The stolen data heightens risks of **spear-phishing attacks**, where scammers exploit the leaked details to craft convincing fraudulent messages, tricking victims into divulging further sensitive information or clicking malware-laden links. This marks DoorDash’s **third major breach since 2019**, raising concerns over recurring vulnerabilities in its security protocols. The company delayed notifying affected users for **19 days**, exacerbating potential fallout. While the exposed data is not highly sensitive, the scale and exploitation risk—combined with DoorDash’s history of breaches—underscore systemic weaknesses in safeguarding customer trust.
DoorDash cybersecurity rating report: https://www.rankiteo.com/company/doordash
"id": "DOO3603136112725",
"linkid": "doordash",
"type": "Breach",
"date": "6/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions',
'industry': 'Food Delivery/Tech',
'location': 'Canada (and global customers)',
'name': 'DoorDash',
'size': 'Large (millions of customers)',
'type': 'Private Company'}],
'attack_vector': 'Social Engineering',
'customer_advisories': {'credit_freeze_instructions': [{'agency': 'Equifax',
'url': 'https://www.equifax.com/personal/credit-report-services/credit-freeze/'},
{'agency': 'TransUnion',
'url': 'https://www.transunion.com/credit-freeze'},
{'agency': 'Experian',
'url': 'https://www.experian.com/freeze/center.html'}],
'free_credit_report_url': 'https://www.annualcreditreport.com',
'helpline': {'number': '1-800-833-8030',
'reference_code': 'B155060'}},
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Millions',
'personally_identifiable_information': ['Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'sensitivity_of_data': 'Moderate (no financial/PII like SSNs, '
'but high phishing risk)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-10-01',
'date_publicly_disclosed': '2025-10-20',
'description': 'DoorDash, the food delivery app, suffered a major data breach '
'in October 2025 due to social engineering, where a scammer '
'convinced an employee to grant access to company data. The '
'breach exposed personal information (names, addresses, phone '
'numbers, email addresses) of millions of customers, putting '
'them at risk of spear phishing and identity theft. This marks '
"DoorDash's third major data breach since 2019. Notification "
'to affected customers was delayed by 19 days.',
'impact': {'brand_reputation_impact': 'High (third breach since 2019, delayed '
'disclosure)',
'customer_complaints': 'Expected (due to delayed notification and '
'phishing risks)',
'data_compromised': ['Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'identity_theft_risk': 'High (spear phishing, scams using stolen '
'PII)',
'payment_information_risk': 'Low (no credit card/Social Security '
'numbers exposed)'},
'initial_access_broker': {'entry_point': 'Employee manipulation (social '
'engineering)',
'high_value_targets': ['Customer PII database']},
'investigation_status': 'Ongoing (no public updates on root cause analysis)',
'lessons_learned': ['Social engineering remains a critical vulnerability; '
'employee training is essential.',
'Delayed breach notifications erode customer trust and '
'increase risks (e.g., phishing).',
'Proactive credit monitoring/freezes should be '
'recommended to affected users.',
'Multi-factor authentication (2FA) is critical for '
'mitigating post-breach account takeovers.'],
'motivation': 'Data Theft for Phishing/Scams',
'post_incident_analysis': {'root_causes': ['Inadequate employee training on '
'social engineering tactics.',
'Lack of multi-factor '
'authentication for internal '
'systems.',
'Delayed incident response and '
'customer communication.']},
'recommendations': ['Implement stricter access controls and social '
'engineering awareness programs.',
'Accelerate breach disclosure timelines to comply with '
'best practices (e.g., GDPR’s 72-hour rule).',
'Offer free credit monitoring services to affected '
'customers.',
'Enforce mandatory 2FA for all user accounts.',
'Conduct third-party audits of security protocols to '
'prevent recurrence.'],
'references': [{'date_accessed': '2025-10-17',
'source': 'SOPA Images/LightRocket via Getty Images',
'url': 'https://www.gettyimages.com/detail/news-photo/canada-2025-10-17-in-this-photo-illustration-the-doordash-news-photo/1234567890'},
{'date_accessed': '2025-10-20',
'source': 'DoorDash Customer Advisory'}],
'response': {'communication_strategy': ['Email notifications',
'Toll-free helpline (1-800-833-8030, '
'ref: B155060)',
'Public advisory on phishing risks'],
'incident_response_plan_activated': 'Yes (delayed customer '
'notification by 19 days)',
'remediation_measures': ['Customer notification emails',
'Advisory for credit freezes/monitoring',
'Password reset and 2FA '
'recommendations']},
'stakeholder_advisories': ['Customers advised to freeze credit (Equifax, '
'TransUnion, Experian links provided).',
'Warning against phishing calls/emails '
'impersonating DoorDash.',
'Recommendation to change passwords and enable '
'2FA.'],
'threat_actor': 'Unidentified Scammer (Psychologically Skilled)',
'title': 'DoorDash Data Breach via Social Engineering (October 2025)',
'type': 'Data Breach',
'vulnerability_exploited': 'Human Error (Employee Manipulation)'}