DoorDash Confirms Data Breach Exposing User Information
DoorDash confirmed a data breach that exposed names, email addresses, phone numbers, and physical addresses of some users, including customers, dashers, and merchants.
In a Help Center article published November 13, DoorDash said hackers stole personal information but "no sensitive information was accessed." The company has "no indication the data has been misused for fraud or identity theft at this time."
No Social Security numbers, driver's license info, bank account numbers, or payment card information got stolen. That's the sensitive stuff that causes real damage.
The company didn't specify how many users were affected but said they've notified everyone impacted.
How It Happened
A DoorDash employee fell victim to a "social engineering scam." Corporate-speak for someone got tricked into giving hackers access.
Social engineering scams target people, not technology. Someone calls pretending to be IT support. Sends a convincing phishing email. Poses as legitimate authority. The employee believes them and hands over access.
"The response team identified the incident, shut down the unauthorized party's access, started an investigation, and referred the matter to law enforcement," DoorDash said.
Standard data breach response. Caught it, shut it down, called the cops.
What Got Stolen
Names, email addresses, phone numbers, and physical addresses. It’s annoying to have stolen, but not catastrophic.
Having your contact info exposed means more spam calls and phishing emails. Having your Social Security number and bank info exposed means identity theft and financial fraud.
DoorDash says the stolen data hasn't been misused yet. "Yet" is doing a lot of work in that sentence.
What You Should Do
DoorDash contacted everyone affected. They set up a dedicated call center available in English and French, Monday to Friday 6 a.m. to 8 p.m. PT and weekends 8 a.m. to 5 p.m. PT. Call +1-833-918-8030 (toll-free) for U.S. and Canada or +1-214-393-3293 for international. Use engagement number B155060.
DoorDash's advice: "Be cautious of unsolicited communications that ask for your personal information or refer you to a web page asking for personal information, and avoid clicking on links or downloading attachments from suspicious emails."
Translation: expect phishing emails pretending to be from DoorDash. Don't click links in emails. Go directly to DoorDash's website if you need to verify anything.
What DoorDash Is Doing
The company is training employees better to avoid social engineering scams. They're deploying "new improvements to our security systems," enlisted outside help, and referred the matter to law enforcement.
Standard corporate response after a data breach.
The Real Problem
One employee falling for a scam shouldn't expose customer data for thousands or millions of users. That's a security architecture problem, not just an employee training problem.
If a single employee getting tricked can give hackers access to that much customer information, your security systems need work. Proper data security includes limiting access, requiring multiple authentication steps, and building systems that don't collapse when one person makes a mistake.
DoorDash is addressing employee training. But the real fix is building systems where one scammed employee can't compromise massive amounts of user data.
For Affected Users
If DoorDash contacted you about the breach, watch for suspicious emails and calls. Scammers now have your name, email, phone number, and address. They'll use that to send convincing phishing attempts.
Don't click links in emails claiming to be from DoorDash. Don't give personal information to callers claiming to represent the company. Go directly to DoorDash's website or app to verify anything.
Your payment information and Social Security number weren't stolen, so immediate financial fraud risk is low. But stolen contact information means increased spam and phishing attempts.
Change your DoorDash password if you haven't already. Enable two-factor authentication if available. Be suspicious of communications asking for personal information or login credentials.
Don’t panic about immediate financial fraud since payment info wasn't stolen. Just be more cautious about unsolicited communications.
Did you find this information useful? Feel free to bookmark or to post to your timeline to share with your friends.