- Cyber Syrup
- Posts
- DoorDash Discloses Data Breach Following Employee Social Engineering Attack
DoorDash Discloses Data Breach Following Employee Social Engineering Attack
DoorDash has begun notifying customers, delivery workers (Dashers), and merchants of a recent data security incident that resulted in exposure of personal information
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
DoorDash Discloses Data Breach Following Employee Social Engineering Attack
DoorDash has begun notifying customers, delivery workers (Dashers), and merchants of a recent data security incident that resulted in exposure of personal information. The company confirmed the breach after copies of notification letters appeared across social media.
Overview of the Incident
According to DoorDash, the breach was discovered on October 25 and stemmed from a social engineering attack targeting one of its employees. By manipulating the employee into granting access, threat actors were able to infiltrate internal systems and view limited user information.
Once unusual activity was detected, DoorDash’s internal security team immediately revoked access, initiated an investigation, and referred the matter to law enforcement authorities.
What Information Was Compromised?
While the investigation is ongoing, DoorDash stated that only basic personal information was exposed. This includes:
Customer, Dasher, and merchant names
Physical addresses
Email addresses
Phone numbers
Crucially, DoorDash emphasized that no sensitive data was accessed. This includes:
Social Security numbers
Government-issued identification
Driver’s license information
Bank account details
Payment card information
At this time, the company reports no evidence that the stolen data has been misused for fraud or identity theft.
Global Impact and Affected Users
DoorDash operates across the United States, Canada, Australia, and New Zealand, and early indicators suggest users in all regions may be affected. Notification letters direct U.S. and Canadian users to one call center and international users to another, implying a broad geographic scope.
DoorDash clarified that the incident does not affect customers of Wolt or Deliveroo, two companies with operational ties to DoorDash.
The company has not disclosed how many individuals were impacted nor provided a detailed breakdown by region.
DoorDash's Response and Next Steps
The company notes that it has:
Contained the breach by shutting down unauthorized access
Launched a full internal investigation
Engaged law enforcement
Begun notifying affected individuals as required
DoorDash encourages users to remain vigilant for suspicious messages or unexpected account activity, as social engineering attacks often lead to follow-on phishing attempts.
Key Takeaway
This incident highlights the ongoing risk that human-targeted attacks pose to even the most well-resourced organizations. While DoorDash reports no compromise of financial or highly sensitive data, the exposure of personal contact information can still fuel phishing campaigns or spam attacks.
As investigations continue, DoorDash is expected to provide additional updates to regulators and the public.