Executive Summary
- DoorDash has confirmed a data breach resulting from a social engineering attack that targeted an employee.
- Exposed data includes the names, email addresses, phone numbers, and physical addresses of customers, delivery workers, and merchants.
- The company states no financial or government ID information was compromised and it has notified law enforcement.
- Security experts criticize DoorDash’s claim that no sensitive information was accessed, warning the data can be used for sophisticated fraud.
- This is the third major security incident reported by the company since 2019, prompting calls for enhanced security measures.
DoorDash has confirmed a significant data breach that exposed the personal information of customers, delivery workers, and merchants. The company stated the incident resulted from a targeted social engineering attack on an employee, which allowed unauthorized access to its internal systems.
According to a statement from DoorDash, the compromised information includes names, email addresses, phone numbers, and physical delivery addresses. The company emphasized that no financial data, such as credit card or bank account numbers, or government-issued identification was accessed. DoorDash reported it has found no evidence of fraud or identity theft resulting from the incident, has revoked the unauthorized access, and has notified law enforcement.
Security experts have challenged the company’s characterization of the exposed data. Kiran Chinnagangannagari, Chief Product & Technology Officer at Securin, noted that the breach “underscores how human factors continue to outpace technical defenses.” He warned that the stolen data enables highly personalized phishing and smishing attacks, adding, “In 2025, a phone number is a digital identity, a key to multifactor authentication and account takeover.”
Clyde Williamson, Senior Product Security Architect at Protegrity, described DoorDash’s response as “déjà vu with denial.” He argued that claiming no sensitive data was accessed is misleading. “They claim no sensitive data was accessed while confirming the theft of names, emails, and addresses—that’s sensitive,” Williamson stated. “Attackers don’t breach systems for worthless data.” He suggested that de-identifying or tokenizing such information would have rendered it useless to attackers.
Sandy Kronenberg, CEO of Netarx, framed the incident as a failure of trust rather than technology. “This breach didn’t start with a firewall failure—it started with a human,” he said, pointing to the increasing sophistication of AI-driven social engineering tactics like deepfake voice calls. He called for new methods to validate the authenticity of human interactions in real time.
This marks the third major security incident for DoorDash since 2019. The recurrence has led experts to call for a structural reassessment of the company’s overall security posture, particularly concerning the protection of personal data and defenses against human-targeted cyberattacks.