DoorDash has confirmed a significant data breach involving the unauthorized exposure of personal information belonging to an unspecified number of customers, delivery drivers, and merchants. The compromised data includes names, email addresses, phone numbers, and physical addresses, stemming from a sophisticated social engineering attack targeting company employees.
How the Security Incident Occurred
The breach was triggered when a DoorDash employee fell victim to a social engineering scheme, granting unauthorized actors entry into the company’s internal systems. Upon discovering the intrusion, the organization moved to terminate the hackers’ access, launched a comprehensive forensic investigation, and alerted law enforcement authorities, as detailed in the company’s official security update.
What Data Was Exposed—And What Remained Safe
While the breach involved contact details and location data, DoorDash maintains that no highly sensitive financial or government-issued data was compromised. The company explicitly stated that the following information was not accessed:
- Social Security numbers
- Driver’s license information
- Government-issued identification numbers
- Bank account or payment card details
Despite the theft of phone numbers and physical addresses, DoorDash spokesperson Michelle Babin stated that the company has “no indication the data has been misused for fraud or identity theft at this time.” However, the company declined to disclose the exact number of individuals affected by the incident.
History of Security Challenges
This incident marks another hurdle for the delivery giant, which previously suffered a major security failure in 2019. During that breach, hackers accessed the records of approximately 5 million users, including customers, merchants, and couriers. That earlier incident, attributed to a third-party vendor, took five months to detect.
DoorDash has confirmed that it has already begun notifying all individuals impacted by this most recent security incident.