The food delivery giant DoorDash confirmed in mid-November 2025 that hackers stole personal information from millions of users. The breach affected customers, delivery workers (Dashers), and merchants across the United States, Canada, Australia, and New Zealand. An employee fell for a social engineering scam on October 25, 2025, which gave attackers access to internal company systems.
This guide explains exactly what happened, what data was stolen, and the steps you should take right now to protect yourself. Here's what you need to know:
What Information Was Stolen in the DoorDash Breach
The personal information accessed by the unauthorized third party varied by individual and may have included first and last name, phone number, email address, and physical address.
| Data Type | Was It Stolen? |
|---|---|
| Full name | Yes |
| Phone number | Yes |
| Email address | Yes |
| Physical/delivery address | Yes |
| Social Security number | No |
| Driver's license information | No |
| Bank account details | No |
| Credit/debit card numbers | No |
| Passwords | No |
The incident did not involve Social Security numbers or other government-issued identification numbers, driver's license information, or bank or payment card information. It did not affect users of the company's Wolt or Deliveroo platforms.
While DoorDash claims no "sensitive" data was stolen, security experts disagree with this characterization. Having a person's name, email, and phone number together is often enough for criminals to launch very believable phishing and smishing attacks.
How the DoorDash Breach Happened
The breach stemmed from a social engineering attack targeting a company employee and represents a growing threat vector that enterprises continue to struggle with despite years of security awareness training.
According to details shared by DoorDash, the breach originated when a hacker impersonated a trusted partner and tricked an employee into granting access to internal systems. This method bypasses technical security controls by exploiting human error rather than software weaknesses.
Timeline of the 2025 DoorDash Breach
| Date | Event |
|---|---|
| October 25, 2025 | DoorDash security team detects the breach |
| October 25, 2025 | Unauthorized access is shut down |
| October-November 2025 | Internal investigation with external cybersecurity firm |
| November 13, 2025 | DoorDash begins notifying affected users |
| November 13, 2025 | Public disclosure via company website |
While the breach was found on October 25, customers only started receiving email warnings on November 13. This 19-day delay has drawn criticism from users and privacy advocates. Users on social media have criticized DoorDash for taking almost three weeks to notify them.
Why Social Engineering Attacks Are So Dangerous
Social engineering is a manipulation technique where criminals trick people into revealing confidential information or granting system access. These attacks target human psychology rather than computer systems.
According to Palo Alto Networks, social engineering has rapidly become the top cybersecurity threat for companies, accounting for 36 percent of all intrusions from May 2024 to May 2025. This surpassed both malware incidents and software vulnerability exploits.
Social Engineering Attack Statistics for 2025
| Statistic | Value | Source |
|---|---|---|
| Percentage of breaches involving human element | 60% | Verizon DBIR 2025 |
| Social engineering as initial access vector | 36% | Palo Alto Networks |
| Phishing attacks in Q2 2025 | 1.13 million | APWG |
| Average cost of phishing breach | $4.88 million | IBM |
| Time for users to fall for phishing emails | Under 60 seconds | Verizon |
98% of cyberattacks involve social engineering tactics, making it the primary attack vector.
Threat actors such as Muddled Libra bypass multi-factor authentication and exploit IT support processes to escalate privileges in minutes, often without malware. In one case, a threat actor moved from access to domain administrator in under 40 minutes using only built-in tools and social pretexts.
DoorDash's History of Data Breaches
The October 2025 incident marks the third major security breach for DoorDash in six years.
| Year | What Happened | Users Affected | Data Exposed |
|---|---|---|---|
| 2019 | Third-party vendor breach | 4.9 million | Names, email, delivery addresses, order history, partial payment info |
| 2022 | Phishing attack on vendor (linked to Twilio breach) | Undisclosed | Names, phone numbers, email addresses, partial card data |
| 2025 | Social engineering attack on employee | Millions (exact number undisclosed) | Names, phone numbers, email addresses, physical addresses |
Both DoorDash security breaches in 2019 and 2022 were a result of third-party negligence. The company didn't experience a direct hack; the hackers targeted companies that were working with DoorDash and had access to its internal systems.
The 2019 breach exposed email addresses and partial payment info for millions, leading to lawsuits and settlements. The 2022 incident involved a phishing attack on a vendor, compromising driver data.
How to Protect Yourself After the DoorDash Breach
If you received a notification from DoorDash or believe your information may have been exposed, take these steps immediately.
Step 1: Change Your Passwords
Make sure your new password is complex and don't use the same password more than once. Update your DoorDash password and any other accounts where you used similar login credentials.
Step 2: Enable Two-Factor Authentication
Two-factor authentication provides an extra layer of security to help protect your accounts. This can make it harder for anyone to access your accounts, even if they have certain personal information.
Step 3: Watch for Phishing Attempts
DoorDash warned customers to stay alert for unsolicited messages pretending to be from the company, and urged users not to click on any links or attachments sent to them unexpectedly.
Be suspicious of:
- Emails or texts claiming to be from DoorDash
- Messages creating urgency or threatening account suspension
- Requests for passwords or payment information
- Links that don't go to official DoorDash domains
Step 4: Monitor Your Accounts
After a data breach, it's essential to be vigilant and pay extra attention to your account activity – that includes your account at the company that suffered the breach, as well as your bank account and other financial accounts.
Step 5: Consider a Credit Freeze
A credit freeze, also known as a security freeze, helps restrict access to your credit report, which then makes it more difficult for other people to fraudulently open new accounts in your name.
| Credit Bureau | Website | Phone Number |
|---|---|---|
| Equifax | equifax.com | 1-800-685-1111 |
| Experian | experian.com | 1-888-397-3742 |
| TransUnion | transunion.com | 1-888-909-8872 |
Step 6: Set Up Fraud Alerts
Active fraud alerts notify lenders processing credit applications in your name that you may be a victim of fraud or identity theft and instructs them to take additional steps to verify your identity before moving ahead with the application.
The Real Risks of Contact Information Exposure
DoorDash described the stolen data as "not sensitive," but cybersecurity experts warn this assessment underestimates the danger.
With AI, it's faster and easier to assimilate large datasets. Losing your name, your address, maybe account information — all of these pieces can be taken from different events. So DoorDash may be one thing, but if they got Social Security numbers and driver's licenses from somewhere else and match that address, they could put together what we call a synthetic ID.
How Criminals Use Stolen Contact Information
| Attack Type | How It Works |
|---|---|
| Spear phishing | Personalized emails using your name and address to appear legitimate |
| Smishing | Text messages pretending to be DoorDash delivery updates |
| Vishing | Phone calls impersonating DoorDash support |
| Identity compilation | Combining data from multiple breaches to build complete profiles |
| Account takeover | Using known details to reset passwords or bypass security questions |
The breached data enables highly credible social engineering attacks. The vulnerability of a single employee to social engineering compromised millions of users' data.
What DoorDash Is Doing in Response
DoorDash said that following the incident, the company deployed new enhancements to its security systems, implemented additional training and awareness for its employees around this sort of scams, and brought in an external firm to assist in its investigation.
The company has taken these steps:
- Shut down unauthorized access immediately upon detection
- Hired an external cybersecurity forensics firm
- Reported the incident to law enforcement
- Notified affected users via email
- Set up a dedicated call center (1-833-918-8030, reference code B155060)
DoorDash said it has no indication that affected personal information has been misused for fraud or identity theft at this time.
How Companies Can Prevent Social Engineering Attacks
As organizations invest billions in perimeter defenses, firewalls, and intrusion detection systems, threat actors continue exploiting the path of least resistance: social engineering.
| Prevention Measure | Description |
|---|---|
| Security awareness training | Regular employee education on recognizing scams |
| Multi-factor authentication | Requiring multiple verification methods for system access |
| Zero-trust architecture | Verifying every access request regardless of source |
| Phishing simulations | Testing employees with fake attacks to identify vulnerabilities |
| Strict verification protocols | Requiring callbacks and secondary confirmation for sensitive requests |
| AI-driven anomaly detection | Using machine learning to identify unusual access patterns |
Experts recommend adopting zero-trust architectures, where no user or device is inherently trusted. Companies could also invest in AI-driven anomaly detection to flag unusual access patterns.
Questions to Ask About Your Data Security
The DoorDash breach highlights important questions for consumers who use food delivery and other online services.
Consider limiting the personal information you store in delivery apps. Use a forwarding email address when possible. Review which apps have access to your location data. Check if companies offer account security features like login alerts.
Industry-wide, there's a push for better data minimization—storing only essential information—to reduce breach impacts.
Conclusion: Stay Vigilant After the DoorDash Breach
The DoorDash data breach of October 2025 exposed the contact information of millions of users across four countries. While no financial data was stolen, the exposed names, addresses, phone numbers, and emails create real risks for targeted phishing attacks and identity theft.
Take action now by changing your passwords, enabling two-factor authentication, and watching for suspicious communications. Consider freezing your credit as a preventive measure.
This serves as a stark reminder that the Human Firewall is cracking under the pressure of AI-enhanced social engineering. This is a systemic, industry-wide challenge as cybercriminals increasingly shift from targeting technical infrastructure to targeting people.
If you believe you've been affected by this breach, contact DoorDash at 1-833-918-8030 (reference code B155060) or visit IdentityTheft.gov if you suspect fraud.