DoorDash Data Breach: User Information Exposed in October Incident

DoorDash recently confirmed a data breach that affected the popular food delivery platform in October. The breach has impacted a significant number of users across the United States, Canada, Australia, and New Zealand. Affected individuals have started receiving email notifications regarding the security incident.

Impact on Personal Information

According to the email notification from DoorDash, the cybersecurity incident occurred on October 25, 2025, where an unauthorized third party gained access to and obtained certain user contact information. The compromised data varied by individual, but it may have included details such as first and last names, physical addresses, phone numbers, and email addresses. DoorDash has confirmed that personal information of users was indeed affected by the breach.

The security incident was traced back to a DoorDash employee falling victim to a social engineering scam. Upon detecting the breach, DoorDash’s incident response team immediately took action to shut down the unauthorized party’s access, initiated an investigation, and reported the matter to law enforcement authorities.

While the exact number of affected users was not disclosed, DoorDash clarified that the breach impacted a mix of consumers, Dashers (delivery drivers), and merchants.

This incident marks the third significant security breach experienced by DoorDash. In 2019, a data breach exposed the information of approximately 5 million customers, Dashers, and merchants to an unauthorized entity. Additionally, in August 2022, the company faced another data breach orchestrated by threat actors who had also targeted Twilio earlier that year.

French Translation and International Impact

Interestingly, DoorDash appended a French translation of the security incident notice to the emails sent out to users. While the emails primarily targeted DoorDash Canada users, an undated security advisory on DoorDash’s website suggests that the incident may extend beyond Canada. The advisory mentions U.S.-specific data types like Social Security Numbers (SSNs), which DoorDash confirms were not accessed (the Canadian counterpart being Social Insurance Numbers – SINs).

BleepingComputer has reached out to DoorDash’s press team for clarification on whether users in the U.S. or other regions where the company operates were also affected by the breach.

Criticism and User Reactions

Some users took to social media to criticize DoorDash’s handling of the incident and the timing of the notifications. Concerns were raised about the sensitivity of the accessed information and the discrepancy between the company’s statement that no sensitive information was accessed and the acknowledgment that personal data was compromised.

One user from Toronto expressed disappointment in DoorDash’s response, highlighting the potential risks associated with the leaked personal information. Cybersecurity professionals and affected users alike raised concerns about the delay in notifying users of the breach and the need for more transparent communication from DoorDash.

Recommendations and Response Actions

DoorDash advises users to remain cautious of unsolicited communications or targeted phishing emails that appear to be from DoorDash. Users are urged to refrain from clicking on links or attachments in suspicious emails and to avoid disclosing personal information to unfamiliar websites.

The company has taken steps to address the incident, including enhancing its security systems, providing additional training for employees, engaging a leading cybersecurity forensic firm to assist in the investigation, and collaborating with law enforcement for ongoing inquiries.

Users with inquiries related to the security incident can contact DoorDash’s toll-free number at +1-833-918-8030 and reference the code B155060 for assistance.

Conclusion

DoorDash’s recent data breach has highlighted the importance of cybersecurity measures and proactive response strategies in safeguarding user information. As the company navigates through the aftermath of the incident, transparency, communication, and user education will be key in rebuilding trust and ensuring data security moving forward.