Full Report
DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly disclosed security incident. [...]
Analysis Summary
# Incident Report: DoorDash October 2025 Contact Information Breach
## Executive Summary
DoorDash confirmed a cybersecurity incident in October 2025 where an unauthorized third party gained access to personal contact information of some users. The initial vector was identified as a social engineering scam targeting a DoorDash employee, leading to unauthorized access and subsequent data exfiltration. DoorDash responded by shutting down access, launching an investigation with external forensics assistance, and notifying relevant parties.
## Incident Details
- **Discovery Date:** October 25, 2025
- **Incident Date:** Occurred in October 2025 (Discovery date is Oct 25)
- **Affected Organization:** DoorDash
- **Sector:** Food Delivery Platform
- **Geography:** U.S., Canada, Australia, and New Zealand (Notifications primarily seemed to target Canadian users initially).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to October 25, 2025 (Notifications sent "yesterday evening" relative to November 13, 2025 report date, indicating notification likely Nov 12, 2025, but the intrusion occurred earlier in October).
- **Vector:** Social Engineering Scam targeting a DoorDash employee.
- **Details:** An unauthorized third party successfully exploited a vulnerability stemming from a social engineering incident targeting an employee, gaining initial access.
### Lateral Movement
- Not explicitly detailed, but implied by the ability to access and take user contact information.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Personal contact information, which varied by individual but could include First and last name, Physical address, Phone number, and Email address. DoorDash stated no sensitive information (like credit card data or SSNs/SINs) was accessed.
### Detection & Response
- **How it was discovered:** On October 25, 2025, the DoorDash team identified the cybersecurity incident.
- **Response actions taken:** The unauthorized party's access was shut down, an internal investigation began, external leading cybersecurity forensic firm was engaged, and law enforcement was notified.
## Attack Methodology
- **Initial Access:** Compromise via Social Engineering targeting an employee.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed, but necessary to access user contact data.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed, but likely involved credentials obtained via the social engineering exploit.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed beyond the scope of accessing user data.
- **Collection:** Gathering of specific user contact details (name, address, phone, email).
- **Exfiltration:** Transfer of collected personal information off the platform.
- **Impact:** Disclosure of personal customer contact information without authorization.
## Impact Assessment
- **Financial:** Not specified, but costs related to forensic investigation and necessary legal/notification compliance apply.
- **Data Breach:** Exposure of non-financial personal identifiable information (PII) including names, physical addresses, phone numbers, and emails for affected users. Sensitive data (passwords, payment info, SSNs/SINs) appears **not** to have been accessed.
- **Operational:** Business operations continued, although internal processes related to breach response were heavily engaged.
- **Reputational:** Negative press and user criticism regarding the 19-day delay in notification and the discrepancy in stated impact vs. the data disclosed.
## Indicators of Compromise
- *No specific IOCs (URLs/IPs/hashes) were detailed in the source text.*
- **Behavioral indicators:** Suspicious network activity related to bulk extraction of customer contact database records, initiated following an employee compromise.
- **User Concern:** Suspicious, targeted phishing emails referencing DoorDash that users must watch out for.
## Response Actions
- **Containment measures:** Shutting down the unauthorized party's access immediately upon identification on Oct 25, 2025.
- **Eradication steps:** Implied by shutting down access, though full details of endpoint/system cleaning are proprietary.
- **Recovery actions:** Deploying enhancements to security systems and implementing additional training for employees.
- **Notification:** Began emailing impacted users starting November 12, 2025 (relative to report date); notified law enforcement.
## Lessons Learned
- The 19-day gap between detection (Oct 25) and public notification caused significant public relations friction and allegations of violating Canadian data breach law timelines.
- Social engineering remains a critical entry vector, highlighting the weakness in employee security practices despite existing security measures.
- Public statements must carefully align disclosed impact with the nature of the breached data to avoid contradictory messaging (e.g., claiming "no sensitive info" while admitting address/phone number exposure).
## Recommendations
- Immediate review and enhancement of social engineering training, especially for privileged or access-holding employees.
- Implement stricter multi-factor authentication and access controls around the retrieval of bulk customer PII, even for internal employees.
- Establish and strictly enforce internal SLAs for mandatory breach notification timelines that comply with the strictest jurisdiction applicable (e.g., Canadian privacy laws).