According to Forbes, DoorDash experienced a significant data breach in October where attackers used social engineering to convince an employee to provide access to customer data. The company waited 19 days before notifying millions of affected customers that their personal information had been compromised. The stolen data includes names, addresses, phone numbers, and email addresses—information that’s perfect for crafting convincing spear phishing attacks. This isn’t DoorDash’s first security rodeo either—it’s their third major breach since 2019. The delayed notification means customers were left vulnerable for nearly three weeks without knowing their information was circulating among scammers.
Why this matters
Here’s the thing about “less sensitive” data like addresses and phone numbers—they’re actually gold mines for sophisticated scammers. When someone calls you by name, knows your address, and references your recent DoorDash orders? That’s terrifyingly convincing. And DoorDash taking 19 days to notify people? That’s basically giving scammers a three-week head start to perfect their phishing campaigns.
What really gets me is that this wasn’t even a sophisticated hacking operation. It was social engineering—some smooth-talker convincing an employee to hand over the keys. After three major breaches in five years, you’d think DoorDash would have better employee training and security protocols in place. Apparently not.
What you should do
First things first—if you haven’t frozen your credit, do it now. Seriously. It’s free, it’s easy, and it’s the single best protection against identity theft. You need to contact all three major bureaus: Equifax, TransUnion, and Experian. This prevents anyone from opening new credit in your name, even if they have your Social Security number.
Next, monitor your credit regularly using the official AnnualCreditReport.com site—not some shady imitation. You get free weekly reports now, so there’s no excuse not to check.
Be super suspicious of anyone contacting you about this breach. Scammers love to pose as the breached company to harvest more data. Trust me, you can’t trust anyone calling unexpectedly. If you need to contact DoorDash, use their official app or website—never click links in suspicious emails.
Broader implications
This breach highlights a worrying trend—companies still treating customer data security as an afterthought. Nineteen days to notify people? That’s unacceptable. And social engineering attacks are becoming the go-to method because they’re often easier than breaking through technical defenses.
Looking ahead, we’re probably going to see more regulation around breach notification timelines. Companies like DoorDash that handle massive amounts of personal data need to step up their game—better employee training, faster response protocols, and frankly, more respect for the trust customers place in them.
The scary part? This is only going to get worse before it gets better. As companies collect more data and scammers get more sophisticated, these breaches will become even more damaging. The question isn’t if your data will be compromised—it’s when, and how well the company handles it. Based on DoorDash’s track record? Not great.
