DoorDash experienced a data breach affecting **4.9 million customers, drivers (Dashers), and merchants** after an attacker exploited credentials from a **third-party vendor** to gain unauthorized access. Exposed data included **names, email addresses, phone numbers, delivery addresses, order history hashes, and the last four digits of payment cards** for Dashers. While **no full financial details, SSNs, or government IDs were compromised**, the leaked contact information heightens risks of **targeted phishing, smishing (SMS scams), and vishing (voice fraud)**, with attackers potentially impersonating DoorDash support or merchants. The breach originated from **social engineering**, tricking an employee into divulging access credentials. DoorDash blocked the intrusion, engaged law enforcement, and began notifying affected users, though no direct fraud or identity theft has been confirmed yet. The incident underscores vulnerabilities in **supply chain attacks** and the persistent threat of human manipulation in breaches.
Source: https://www.findarticles.com/doordash-breach-exposed-phone-numbers-and-addresses/
DoorDash cybersecurity rating report: https://www.rankiteo.com/company/doordash
"id": "DOO5993759111725",
"linkid": "doordash",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '4.9 million (customers, '
'drivers, merchants)',
'industry': 'Technology / Logistics',
'location': 'United States (Global Operations)',
'name': 'DoorDash',
'type': 'Food Delivery Platform'}],
'attack_vector': ['Third-Party Vendor Compromise',
'Credential Theft',
'Social Engineering'],
'customer_advisories': ['Be wary of texts/calls/emails about the breach '
'asking for clicks or login details.',
'Navigate directly to the DoorDash app/website '
'instead of clicking links.',
'Enable MFA (preferably app-based) and monitor '
'account activity.',
'Check saved payment methods and update reused '
'passwords.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '4.9 million',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers',
'Physical Addresses'],
'sensitivity_of_data': 'Moderate (no full financial or '
'government ID data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Contact Information',
'Partial Payment Data']},
'description': 'Restaurant and food delivery service DoorDash confirmed a '
'data breach affecting 4.9 million customers, drivers, and '
'merchants. An attacker used credentials obtained through a '
'third-party service provider to gain unauthorized access to '
'user data, including names, email addresses, delivery '
'addresses (with phone numbers), order history hashes, and '
'partial payment card details (last four digits). While no '
'financial fraud or identity theft was confirmed, the exposed '
'contact details increase the risk of targeted phishing, '
'smishing, and vishing attacks. DoorDash blocked unauthorized '
'access, notified law enforcement, and began alerting affected '
'accounts.',
'impact': {'brand_reputation_impact': 'Moderate (trust erosion, media '
'coverage)',
'customer_complaints': 'Expected increase due to phishing risks',
'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Physical Addresses',
'Order History Hashes',
'Last Four Digits of Payment Cards (Dashers '
'only)'],
'identity_theft_risk': 'Low (no SSNs, full payment cards, or '
'government IDs exposed)',
'operational_impact': 'Increased risk of phishing/smishing/vishing '
'attacks; reputational harm; customer '
'notification efforts',
'payment_information_risk': 'Low (only last four digits of payment '
'cards for Dashers)'},
'initial_access_broker': {'entry_point': 'Third-party service provider '
'credentials (obtained via social '
'engineering)',
'high_value_targets': ['Customer PII',
'Dasher partial payment '
'data'],
'reconnaissance_period': 'Approximately two weeks '
'before the breach'},
'investigation_status': 'Ongoing (collaboration with law enforcement)',
'lessons_learned': ['Supply chain vulnerabilities remain a critical risk '
'vector, especially for third-party vendors with access '
'to credentials.',
'Social engineering continues to be a dominant attack '
'method, bypassing technical controls.',
'Contact information (phone numbers, addresses) can '
'enable highly targeted phishing campaigns even without '
'financial data exposure.',
'Proactive user education and phishing-resistant MFA are '
'essential for mitigating post-breach risks.'],
'motivation': ['Data Theft', 'Potential Fraud Enablement'],
'post_incident_analysis': {'corrective_actions': ['Review and strengthen '
'third-party vendor '
'security protocols.',
'Enhance monitoring for '
'unusual access patterns.',
'Expand employee training '
'on social engineering '
'threats.',
'Implement stricter '
'authentication for '
'high-risk systems.'],
'root_causes': ['Social engineering attack on a '
'third-party vendor employee '
'leading to credential compromise.',
'Insufficient safeguards against '
'supply chain attacks (e.g., '
'vendor access controls).',
'Lack of detection for '
'unauthorized access over a '
'two-week period.']},
'recommendations': ['Implement phishing-resistant multifactor authentication '
'(MFA) for all employees and third-party vendors.',
'Enforce least-privilege access principles to limit '
'exposure from compromised credentials.',
'Conduct regular security awareness training focused on '
'social engineering tactics.',
'Monitor for unusual activity in third-party vendor '
'accounts with access to sensitive systems.',
'Users should: enable app-based MFA (avoid SMS), check '
'account activity for suspicious logins, avoid reusing '
'passwords, and verify unsolicited communications via '
'official channels.',
'Organizations should prepare for secondary attacks '
'(e.g., smishing, vishing) leveraging exposed contact '
'data.'],
'references': [{'source': 'DoorDash Official Blog'},
{'source': 'Verizon Data Breach Investigations Report (DBIR)',
'url': 'https://www.verizon.com/business/resources/reports/dbir/'},
{'source': 'FBI Internet Crime Complaint Center (IC3)',
'url': 'https://www.ic3.gov/'},
{'source': 'IBM Cost of a Data Breach Report 2023',
'url': 'https://www.ibm.com/reports/data-breach'}],
'regulatory_compliance': {'regulatory_notifications': ['Expected under state '
'breach-notification '
'laws (e.g., '
'California Consumer '
'Privacy Act)']},
'response': {'communication_strategy': ['Public blog post',
'Direct notifications to affected '
'users',
'Media statements'],
'containment_measures': ['Blocked unauthorized access'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Notifying affected users via '
'in-app/email']},
'stakeholder_advisories': ['Customers, Dashers, and merchants advised to '
'watch for phishing attempts citing order history '
'or delivery addresses.',
'Official notifications will never request '
'passwords or full payment details.'],
'title': 'DoorDash Data Breach Affecting 4.9 Million Users',
'type': ['Data Breach', 'Supply Chain Attack', 'Social Engineering'],
'vulnerability_exploited': 'Human error (social engineering of third-party '
'employee)'}