DoorDash's 3rd data breach exposes millions! User data leaked in October, sparking outrage and security fears.

Continue reading
The food delivery giant DoorDash is reeling from its third significant data breach in six years.
Yes! The company confirmed this week that a sophisticated social engineering scam duped an employee, allowing a threat actors to pillage a trove of user contact information and exposing millions of customers, "Dasher" drivers, and merchants to heightened risk of phishing and identity theft.**
The breach unfolded on October 25, 2025, when DoorDash's security team detected an unauthorized party accessing its systems. Yet, in a move that has sparked fury and legal threats, the company waited a staggering 19 days before beginning to notify the victims on November 13 .
The culprit? A single, targeted social engineering attack tricked a DoorDash employee into granting access, proving that the human element remains the weakest link in cybersecurity.
While DoorDash has downplayed the severity by stating “no sensitive information was accessed,” the stolen data paints a frighteningly complete picture of users’ digital identities. The exposed information varies by individual but includes :
| Affected Group | Types of Information Exposed |
|---|---|
| Customers | Full name, physical address, phone number, email address |
| Dashers | Full name, physical address, phone number, email address |
| Merchants | Full name, physical address, phone number, email address |
This information is a gold mine for phishers and scammers, who can use it to craft highly convincing, targeted attacks.
The 19-day notification delay has ignited a firestorm of criticism and fear. One user on social media platform X lamented, "DoorDash took 19 whole days to notify me... my real phone number and physical address have been leaked" .
Another user, Chris from Toronto, challenged the company's attempt to downplay the breach, stating, "I'm sorry - if this isn't sensitive information, what is? Don't downplay this just because they didn't get credit card or password information. It's gone deaf" . The outrage has escalated to real-world consequences, with at least one user vowing to file a case in provincial small claims court and lodge a formal complaint with the Office of the Privacy Commissioner of Canada, alleging a violation of data breach laws .
This 2025 incident is not an isolated event but part of a deeply concerning pattern for the delivery giant :
This "three-peat" of security failures has left experts and users questioning if the company has truly learned from its past mistakes.
If you are among the millions of DoorDash users, your vigilance is your best defense. Here’s what you must do immediately :
In response to the crisis, DoorDash has issued a statement outlining its remedial actions, which include "deploying enhancements to our security systems, implementing additional training for our employees, bringing in a leading cybersecurity forensic firm... and notifying law enforcement".
The company has set up a dedicated, toll-free hotline for users with questions: +1-833-918-8030 (reference code: B155060)
As the investigation continues, one question lingers in the minds of users worldwide: Is DoorDash finally building a fortress, or just rearranging the deck chairs on a ship that has already been breached three times?

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been