DoorDash’s Third Data Breach in Six Years: When Will They Learn?

DoorDash’s Third Data Breach in Six Years: When Will They Learn?
~ larshilse

You’d think after getting breached twice in three years, a company might, I don’t know, invest in some actual cybersecurity. But nope, DoorDash just couldn’t resist going for the hat trick. Welcome to breach number three, folks. Third time’s the charm, right?

What Happened This Time

On October 25, 2025, DoorDash suffered another data breach after one of their employees fell for a social engineering attack. The attackers gained access to internal systems and made off with user contact information including names, addresses, phone numbers, and email addresses.

The breach affected a mix of customers, Dashers (their delivery drivers), and merchants. DoorDash hasn’t disclosed exactly how many people were impacted, but given their user base, we’re likely talking about a substantial number.

Oh, and here’s the kicker: the breach happened on October 25, but DoorDash didn’t start notifying users until November 13. That’s 19 whole days between the incident and notification. I’m sure that delay had absolutely nothing to do with wanting to get through Halloween and maybe a few more earnings calls first. Purely coincidental timing, I’m sure.

The “No Sensitive Information” Bullshit

In the notification emails, DoorDash had the absolute audacity to claim that “no sensitive information was accessed.” Let me just… deep breath… okay, let’s unpack that.

They admitted that names, phone numbers, email addresses, and postal addresses were compromised. But apparently, that’s not “sensitive” information according to DoorDash.

You know what happens when attackers have your name, phone number, email, and home address? Targeted phishing attacks. SIM swapping. Identity theft. Harassment. Stalking. related to phishing evolution. But sure, totally not sensitive.

DoorDash’s own security advisory mentions that Social Security Numbers might have been compromised for some users, which makes the “no sensitive information” claim even more laughable.

A History of Getting Pwned

Let’s take a stroll down DoorDash’s breach memory lane, shall we?

2019: DoorDash suffered a massive breach affecting 4.9 million customers, drivers, and merchants. They blamed an unnamed third-party vendor.

2022: Another breach via a third-party vendor that got phished. DoorDash said it was a “sophisticated phishing campaign” targeting the vendor’s employees. Exposed data included names, emails, phone numbers, and addresses.

2025: And here we are again. Employee falls for social engineering. Data gets stolen. Users get notified weeks later. Same song, different verse.

Seeing a pattern? DoorDash has a serious problem with social engineering attacks and third-party vendor security related to human behavior and security. And they don’t seem to be learning from their mistakes.

The Social Engineering Problem

The October 2025 breach happened because a DoorDash employee was tricked by a social engineering scam. We don’t have details on exactly what the scam looked like, but it was effective enough to grant attackers access to internal systems.

Social engineering works because it targets the weakest link in any security system: humans related to cybersecurity awareness and culture. You can have the best firewalls, intrusion detection systems, and encryption in the world, but if an employee can be tricked into handing over credentials or access, none of that matters.

After the breach, DoorDash claims to have implemented “additional training for our employees.” You know what? They said similar shit after the 2022 breach. How’s that working out?

User Reactions

Social media lit up with frustrated DoorDash users questioning the company’s security practices and the delayed notification timeline.

One user pointed out the irony: “DoorDash took 19 whole days to notify me of a data breach that has leaked my personal information. Thankfully I used a fake name and forwarded email address for my account, but my real phone number and physical address have been leaked.”

That’s actually solid operational security right there. Using alias emails and fake names for services you don’t fully trust is a smart move. Maybe more people should consider it.

What DoorDash Says They’re Doing

According to their breach notification, DoorDash has:

  • Cut off the unauthorized party’s access (you know, after they already stole the data)
  • Started an investigation (19 days later)
  • Referred the matter to law enforcement
  • Deployed “enhancements” to security systems (whatever that means)
  • Implemented additional employee training (again)
  • Brought in a “leading cybersecurity forensic firm” to assist

In other words: standard post-breach PR boilerplate. We’ve locked the barn door now that the horses are in the next county, hired some consultants to look concerned, and promised to do better next time.

What Users Should Do

If you’re a DoorDash customer, Dasher, or merchant, here’s what you need to know:

1. Assume your contact information is compromised. Even if you haven’t received a notification yet, if you use DoorDash, your data might be out there. 2. Watch out for targeted phishing attempts. Attackers now have enough information to craft convincing phishing emails or texts claiming to be from DoorDash, delivery services, or other companies related to phishing tactics. 3. Don’t click links or attachments in suspicious emails. DoorDash warns users to avoid this in their notification, which is good advice even outside of breach contexts. 4. Consider using email forwarding services and alias email addresses for accounts you create with companies that have a history of breaches. Services like SimpleLogin, AnonAddy, or even Apple’s Hide My Email can help compartmentalize your data. 5. Monitor your accounts for suspicious activity. Set up alerts for account changes, login attempts, and transactions. 6. Don’t provide personal information to unfamiliar websites or callers, even if they claim to be from DoorDash support.

The Real Problem

DoorDash’s repeated breaches point to a fundamental issue: cybersecurity is not being treated as a core business priority related to usability vs security balance. They’re a tech company built on a digital platform, yet they keep getting compromised through relatively basic attack vectors.

Social engineering attacks are preventable. Not 100% preventable—humans will always be the weakest link—but with proper training, security culture, technical controls like phishing-resistant MFA, and vendor security requirements, you can dramatically reduce the risk related to malicious insiders and security culture.

Three breaches in six years suggests that whatever DoorDash is doing after each incident isn’t working. The “additional training” and “security enhancements” clearly aren’t sufficient.

Maybe—and I’m just spitballing here—they should consider implementing some of the frameworks and best practices that other companies use to actually prevent this shit? Novel idea, I know related to cybersecurity frameworks.

At some point, users and regulators need to hold companies accountable for repeated security failures. One breach? Okay, shit happens. Two breaches? You should have learned something. Three breaches? That’s a pattern of negligence.

DoorDash says protecting user information is a “top priority.” Their track record suggests otherwise.

Published by larshilse

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.