DoorDash suffers data breach after social engineering attack on employee

DoorDash suffered a data breach, exposing user contact information after a successful social engineering attack targeting one of its employees.

The food delivery giant claims that no sensitive financial or identity-related data was accessed, but mentions that full names, phone numbers, physical addresses, and email addresses were exposed, which is a contradictory statement.

The breach was first identified by DoorDash’s internal security team, which observed unauthorized access to certain user data in late October. Affected individuals began receiving email notifications on November 13, informing them of the incident and recommending caution against phishing attempts. According to DoorDash, the data varied by individual but may include basic contact details. Importantly, the company stated that no Social Security numbers, driver’s license information, or payment data were compromised.

The incident stemmed from a successful social engineering attack, an increasingly common tactic where attackers manipulate individuals into revealing confidential information or credentials. In this case, a DoorDash employee was tricked into granting unauthorized access, allowing threat actors to exfiltrate user data before the breach was discovered and contained.

DoorDash, headquartered in San Francisco, is one of North America’s largest food delivery platforms, serving millions of customers, drivers (known as “Dashers”), and restaurant partners. The company has previously experienced significant security incidents, including breaches in 2019 and 2022. The latest breach adds to its troubled security history and raises fresh concerns about how it safeguards user information.

In response, DoorDash has initiated a series of mitigation efforts, including the deployment of security system enhancements, reinforcing employee training on phishing and social engineering scams, and hiring a third-party cybersecurity forensics firm to assist with the investigation. The incident has also been referred to law enforcement for further examination.

While DoorDash has emphasized that there is currently no evidence of fraud or identity theft resulting from the breach, the type of data accessed, particularly email addresses and phone numbers, poses a risk for targeted phishing campaigns and scam attempts. The company advises users to be cautious of unsolicited messages, refrain from clicking on suspicious links, and avoid providing personal information through unfamiliar channels.