DoorDash has confirmed a data breach that exposed personal information belonging to an undisclosed number of users, including names, email addresses, phone numbers, and physical addresses. The company acknowledged the incident in a recent update, noting that the breach affected customers, delivery partners, and merchants across its platform.
Despite the exposure of phone numbers and home addresses, DoorDash emphasized that “no sensitive information was accessed by the unauthorized third party and we have no indication the data has been misused for fraud or identity theft at this time.” The company added that none of the compromised data included “Social Security numbers, other government-issued identification numbers, driver’s license information, or bank or payment card information.”
According to DoorDash, the breach began after an employee fell victim to a social engineering attack. Once the company detected the intrusion, it immediately cut off the threat actor’s access, launched an internal investigation, and notified law enforcement.
While a company spokesperson, Michelle Babin, declined to disclose how many people were impacted, she reiterated the points from the official blog post. DoorDash has begun notifying affected users as part of its response efforts.
The incident highlights ongoing risks posed by social engineering and reinforces the need for stronger employee cybersecurity awareness across organizations.
