Another day, another data breach. Food delivery giant DoorDash has announced its systems were compromised on October 25, 2025, after an employee fell victim to a social engineering attack. This marks the company’s third major security incident since 2019. Seriously, three strikes and you’re still delivering?
The breach potentially exposed personal information of 2 to 4 million individuals, including customers, delivery drivers, and merchant partners. It took DoorDash nearly two weeks to notify affected users, with alerts finally sent between November 11 and 13. Better late than never, I guess.
Compromised data includes names, contact information, and partial payment information—specifically card brands, expiration dates, and those last four digits everyone thinks are so secure. Postal codes and email addresses may have also been snatched. The company has directly contacted impacted individuals, assuring them that no sensitive information like Social Security numbers or banking details was compromised. The good news? Full payment details and passwords apparently weren’t accessed. Small comfort when your personal info is floating around the dark web.
This breach follows a familiar pattern for DoorDash. In 2022, attackers compromised 367,500 unique email addresses through a third-party vendor. Before that, a 2019 incident exposed user data. The company seems to be developing quite the reputation—just not the kind they want.
The attackers bypassed technical defenses by going straight for the human weakness. An employee was tricked into handing over access credentials. Classic move. These social engineering tactics keep working because humans are, well, human.
DoorDash confirmed the breach through official channels but has been tight-lipped about specific security improvements. They’ve encouraged users to monitor their accounts for suspicious activity. Really helpful advice after your data’s already been stolen.
For a company handling millions of transactions and sensitive customer information, this recurring security problem raises serious questions. Three breaches in six years? Maybe it’s time DoorDash invested as much in security as they do in those non-stop TV commercials.
