DoorDash recently disclosed a cybersecurity incident in which an unauthorized third party gained access to certain user information after successfully targeting a DoorDash employee through a social engineering scam. The company quickly detected the breach, terminated the intruder’s access, launched an investigation with the help of an external forensics firm, and reported the matter to law enforcement.

The accessed data was limited to basic contact information that varied by individual, potentially including first and last name, phone number, email address, and physical (delivery) address. Importantly, no sensitive data—such as Social Security numbers, driver’s license details, bank account numbers, or payment card information—was compromised, and DoorDash states there is currently no evidence that the stolen information has been misused for fraud or identity theft.

The incident affected a portion of DoorDash’s users, including consumers, Dashers (delivery drivers), and merchants, but did not impact customers of Wolt or Deliveroo. Affected users have been notified where legally required, and DoorDash has published details publicly while establishing a dedicated call center for questions. In response, the company has implemented enhanced security measures, introduced additional employee training on social engineering tactics, and reiterated its commitment to ongoing improvement and user privacy.

DoorDash apologized for any concern caused and encouraged users to remain vigilant against phishing attempts, while emphasizing that no immediate protective actions are necessary for affected accounts due to the non-sensitive nature of the exposed data.