November 20, 2025
DoorDash has confirmed a new data breach exposing customer, delivery worker, and merchant information—including names, email addresses, phone numbers, and physical addresses. The company says no financial or government ID data was accessed and reports no evidence of fraud or identity theft to date.
DoorDash reported that cyber attackers gained access through a social engineering scheme that targeted an employee. Once the breach was detected, the company revoked access, initiated an investigation, and notified law enforcement. The total number of affected users has not been disclosed.
Kiran Chinnagangannagari, Chief Product & Technology Officer at Securin, says the breach underscores how human factors continue to outpace technical defenses. “The vulnerability of a single employee to social engineering compromised millions of users’ data,” he said. “This highlights a systemic challenge as cybercriminals increasingly pivot from attacking infrastructure to manipulating people. AI-driven social engineering is widening that gap.”
Chinnagangannagari warns that the stolen data enables highly personalized attacks. “Fraudsters can now craft phishing and smishing messages that appear authentic, referencing delivery addresses or posing as payment processors,” he noted. “DoorDash’s statement that ‘no sensitive information’ was accessed misrepresents the risk. In 2025, a phone number is a digital identity, a key to multifactor authentication and account takeover.”
DoorDash has now faced three major security incidents since 2019. Chinnagangannagari argues that such recurrence demands a structural reassessment of the company’s security posture.
Sandy Kronenberg, Founder and CEO of Netarx, frames the issue as one of trust, not technology. “This breach didn’t start with a firewall failure—it started with a human,” he said. “Attackers are using AI-generated voices, cloned personas, and context-aware scripts. Traditional controls like MFA or ITDR can’t stop a deepfake phone call.”
Kronenberg calls the growing divide between system-level security and human verification “the trust gap.” He says enterprises must begin validating the authenticity of every human interaction across voice, video, and email channels in real time.
Clyde Williamson, Senior Product Security Architect at Protegrity, calls DoorDash’s response “déjà vu with denial.” “They claim no sensitive data was accessed while confirming the theft of names, emails, and addresses—that’s sensitive,” Williamson said. “Attackers don’t breach systems for worthless data. Even if it’s not financial, it’s still personal and exploitable.”
He adds that companies should start protecting all personal information with the same rigor as regulated data. “If DoorDash had de-identified or tokenized this information, it would be useless to attackers,” he said. “Security should protect the data itself, not just the systems around it.”
Read the article: HERE
