DoorDash hit by new data breach in October exposing person data

DoorDash has disclosed a data breach that hit the meals supply platform this October.

Starting yesterday night, DoorDash, which serves thousands and thousands of shoppers throughout the U.S., Canada, Australia, and New Zealand, began emailing these impacted by the newly disclosed security incident.

Your private data affected

“On October 25, 2025, our workforce recognized a cybersecurity incident that concerned an unauthorized third celebration having access to and taking sure person contact data, which diverse by particular person,” states the e-mail notification from DoorDash.

The data might have included:

• First and final title
• Bodily deal with
• Cellphone quantity
• E mail deal with

“Our investigation has since confirmed that your private data was affected.”

The incident has been traced to a DoorDash worker falling sufferer to a social engineering rip-off. Upon turning into conscious, the corporate’s incident response workforce shut down the unauthorized celebration’s entry, began an investigation, and referred the matter to legislation enforcement. 

This marks the third notable security incident suffered by the supply large.

In 2019, a information breach at DoorDash had uncovered the knowledge of roughly 5 million clients, Dashers and retailers to an unauthorized celebration.

In August 2022, the corporate encountered one other data breach from risk actors who had additionally attacked Twilio that 12 months.

La traduction française swimsuit

What’s attention-grabbing is {that a} French translation of the discover is appended to those emails:

Right now, it seems that the emails primarily went to DoorDash Canada customers (together with myself). Nevertheless, an undated security advisory posted on DoorDash’s web site consists of wording that implies the incident might prolong past Canada, together with references to US-specific information varieties, like Social Safety Numbers (SSNs), which DoorDash says weren’t accessed. (Canadian counterpart would have been Social Insurance coverage Numbers (SINs))

BleepingComputer has approached the DoorDash press workforce to hunt clarification on if the breach additionally impacts customers primarily based within the US and different areas the place DoorDash operates.

‘Took 19 entire days’

Some customers on social media have rebuked DoorDash, questioning the corporate’s dealing with of the incident and the timing of the notifications.

“I am sorry – if this is not delicate data, what’s? Do not downplay this simply because they did not get bank card or password data. It is gone deaf,” posted Chris from Toronto.

Cybersecurity skilled Kostas T. additionally reacted to the e-mail’s phrasing, expressing that the assertion “no delicate data was accessed” conflicted with the non-public data that the corporate acknowledged was accessed.

“DoorDash took 19 entire days to inform me of a data breach that has leaked my private data. Fortunately I used a pretend title and forwarded e-mail deal with for my account, however my actual telephone quantity and bodily deal with have been leaked,” wrote X person itsohqay.

“That is extremely unprofessional, harmful, and probably unlawful behaviour from DoorDash… This course of violates Canadian data breach legislation. I will be submitting a case in opposition to DoorDash in provincial small claims court docket and making a grievance to the Workplace of the Privateness Commissioner of Canada.”

Customers needs to be cautious of unsolicited communications or focused phishing emails showing to originate from DoorDash. 

DoorDash warns that it is best to keep away from clicking on hyperlinks or attachments inside suspicious emails, and to chorus from offering any private data to unfamiliar web sites.

“We’ve got already taken steps to reply to the incident, together with deploying enhancements to our security methods, implementing further coaching for our workers, bringing in a number one cybersecurity forensic agency to help in our investigation of this challenge, and notifying legislation enforcement for ongoing investigation,” states the corporate.

DoorDash customers with questions associated to the incident can additional name the toll-free quantity +1-833-918-8030  and cite reference code: B155060.

BleepingComputer awaits response from DoorDash on the precise scope of the incident.