DoorDash Data Breach 2025: What Happened & What To Do

TL;DR

In late 2025, DoorDash confirmed a significant cybersecurity incident affecting consumers, Dashers (drivers), and merchants.

• The event: In October 2025, DoorDash suffered a big data breach via a "social engineering" attack on an employee.
• The delay: The company waited 19 days (until mid-November) to notify affected users, sparking a class-action lawsuit.
• The stolen data: Hackers stole names, physical addresses, phone numbers, and email addresses. They did not get passwords or credit cards, but don't let that comfort you.
• The risk: This combination of data is the "Holy Trinity" for SIM Swapping and Spear Phishing – attacks that can drain bank accounts and crypto wallets without ever needing your credit card number.
• What to do: Change any passwords reused on other sites, switch your 2FA from SMS to an Authenticator App immediately, treat every "support call" you receive as a potential scam. Also, apply the general security practices (discussed in the later sections) to permanently harden your digital identity against future leaks.

Now, let's take a closer look.

What Happened and Why?

On October 25, 2025, DoorDash identified suspicious activity within their internal systems. Investigations revealed that a threat actor had successfully executed a social engineering attack targeting a DoorDash employee → a hacker tricked a human staff member into handing over access credentials, likely through a convincing phone call or phishing email.

This allowed the attacker to bypass technical security measures and access internal tools used to manage user accounts.

The "19-day silence" controversy

While the DoorDash breach was discovered in late October, the company did not begin notifying customers until November 13, 2025. The nearly three-week delay led to significant criticism from privacy experts and is at the heart of a new class-action lawsuit filed in the Northern District of California.

For 19 days, your data was exposed, giving hackers plenty of time to target you with scams while you were distracted.

What Information Was Stolen?

DoorDash quickly reassured users that "no sensitive information was accessed". We don’t think so.

In this DoorDash data breach, the attackers exfiltrated a lot of Personally Identifiable Information (PII):

• Full names (First and Last)
• Physical delivery addresses (Where you sleep and work)
• Phone numbers (The key to your 2FA)
• Email addresses (Your digital passport)

What was NOT stolen:

• Passwords
• Credit/Debit Card full numbers
• Social Security Numbers (SSN) / Social Insurance Numbers (SIN) / Driver’s License Numbers

⚠️ DoorDash says this data isn't sensitive. We disagree. If a hacker has your Full name + Phone + Address, they don't need your credit card. They have enough verification data to call your mobile carrier, impersonate you, and execute a SIM Swap – hijacking your phone number to intercept your 2FA codes for banking, email, or crypto exchanges.

Who Was Affected?

DoorDash data breach affected 3 key groups within the DoorDash ecosystem:

1. Consumers: People who order food through the app.
2. Dashers: The delivery drivers.
3. Merchants: Restaurants and businesses using the platform.

DoorDash hasn't given a specific number of affected users, but reports suggest the breach could impact millions of users in the U.S., Canada, Australia, and New Zealand.

Are you are risk?

If you got a breach notification email from DoorDash, bet your contact info was part of the DoorDash breach.

If you didn’t, you’re not automatically safe, but your probability is much lower.

DoorDash’s Response: Actions Taken, Claims Made, Gaps to Watch

Upon discovering the breach on Oct 25, DoorDash cut off the attacker's access and brought in a third-party cybersecurity forensic firm. They have also notified law enforcement.

User support channels

DoorDash set up a dedicated call center available in English and French for concerned users:

• US/Canada: +1-833-918-8030
• International: +1-214-393-3293
• Note: Be cautious. Hackers know these numbers. If you receive a call claiming to be this support line, hang up and call it yourself.

The legal fallout

On November 18, 2025, a class-action lawsuit was filed in the U.S. District Court for the Northern District of California.

• Case: Michelle Andrizzi v. DoorDash Incorporated (Case No. 3:25-cv-09926).
• Allegations: The claimants allege negligence in data protection and breach of an implied contract. A key argument is the failure of data minimization – DoorDash allegedly stored the data of former customers unnecessarily, making it available for theft.   
• Status: The case is in the early scheduling phase, with initial conferences set for early 2026

If you're in the affected regions, you may automatically be part of future settlements, but financial compensation won't fix your compromised privacy.

What Attackers Can Do With Contact Info: Real Risks

Don't let the phrase "No passwords were stolen" lull you into a false sense of security. In the hands of a skilled social engineer, your contact list is a weapon.

• Hyper-realistic, personalized phishing: (refunds, “account locked,” “verify delivery address”). The DoorDash incident gives them your real details, so the message may feel very legit.
• Credential stuffing: they try your email + old passwords (possibly found in other big password breaches) across Gmail/Apple/Microsoft/banks.
• MFA/code theft: “DoorDash support” asks for a one-time code. That’s not support, it’s an attacker resetting something.
• SIM-swap / number port-out: if they can move your number to their SIM, they receive reset codes. This allows them to access your accounts.
• Doxxing-lite: address exposure enables harassment, fake deliveries, or “we’re outside” pressure scams. A DoorDash data breach makes this easier.

A History of Leaks: Is Your Data Ever Safe With DoorDash?

This DoorDash breach isn’t the first time DoorDash has dealt with exposed data. It's pretty clear they have a big problem keeping their massive user database secure.

The pattern: DoorDash is a logistics company, not a cybersecurity firm. Whether it's a vendor failure or a gullible employee, the result is the same: Your data ends up on the Dark Web.

Immediate Action Plan & Future Protection

Stop panicking and start patching. Here is your triage plan to secure your identity.

In 10 minutes (do this NOW)

1. Change your DoorDash password: If you use your DoorDash password anywhere else, change it immediately. Use a password manager to create a unique 20-character string, or use a passphrase.
2. Enable app-based 2FA: Go to your Email, Bank, Social Media, and any important app settings. Turn off SMS (text) authentication and switch to an Authenticator App (Authy, Google Auth) or a hardware key (YubiKey). This neutralizes the SIM Swap threat.
3. Check your sessions: Go to your email settings and "Log out of all other sessions" to kick out anyone who might be lurking.

In 24-hours

1. Set a carrier PIN: Call your mobile provider and ask to set a "Port Freeze" or a secondary PIN code that must be said before a SIM change can be made.
2. Bank alerts: Set up push notifications for every transaction on your credit cards. If a hacker tries to use your data for fraud, you'll know instantly.
3. The "Alias" strategy: Create a new email address or set an alias specifically for "Junk" services (food, newsletters, shopping). Never use your primary business or banking email for an app like DoorDash again.

​​In 30 days

You can’t control DoorDash’s security, but you can control what you give them.

• Check exposure (and set alerts): https://haveibeenpwned.com/ 
• Watch for SIM-swap symptoms: Sudden “No Service,” SMS fails, calls reroute.
• Beware of "urgent" alerts: You may receive text messages pretending to be from DoorDash, your bank, or delivery services (e.g., "There is a problem with your order, click here to refund"). NEVER click these links.
• Review accounts for silent changes: Attackers often change contact email/phone first. Then they drain later.
• Credit freeze: While SSNs were not lost, freezing credit is a standard precaution against synthetic identity fraud
• Switch to a secure email service: Standard email providers can scan content, build behavioral profiles, and tie your inbox to your real-world identity. Choose a private email service that doesn’t fingerprint you and doesn’t push identity linkage (phone number, real name, backup email and so on.

✳️🔐 Atomic Mail offers a secure haven for your most important information. No tracking, no data mining, and no weak links. Just pure, encrypted communication that keeps your private life private. Create your free Atomic Mail account and take the most effective step toward enhanced digital privacy today.

FAQ: The DoorDash Breach 2025

Did the hackers get my credit card number?

DoorDash states that no full credit card numbers were accessed. The breach exposed "contact information" (name, address, email, phone). However, scammers may use this info to call you and ask for your credit card number to "verify" your account. Do not provide it.

Do I need to change my password?

DoorDash claims passwords were not stolen. However, as a general security best practice, it is highly recommended to change your password anyway, especially if you reuse that password on other sites.

How do I know if I was affected?

DoorDash sent email notifications to affected users in November 2025 with the subject line related to "Security Incident" or "Data Privacy." Check your inbox and spam folder.

How do I join the class action lawsuit?

You do not need to do anything yet. The lawsuit (Andrizzi v. DoorDash) is in the early "proposed" stage. If a settlement is reached (likely in 2026 or 2027), you will be notified automatically if your email is on the victim list. Keep an eye on legal news sites for updates.  

Will I get financial compensation?

While a class-action lawsuit is underway, these proceedings take years. Historically, settlements for breaches like this result in minor payouts (often less than $10) or free credit monitoring services. The cost of securing your digital life falls on you, not them. 

Can I check if my data was stolen?

If you received an email from DoorDash with the subject line regarding a "Cybersecurity Incident," you are affected. You can also monitor the website Have I Been Pwned?, which typically indexes such breaches once the data becomes public. You can also call DoorDash’s dedicated breach hotline at 1-833-918-8030 (Ref code: B155060).   

Why does DoorDash say "no sensitive info" was stolen if they took my address?

"Sensitive" is a legal term usually reserved for SSNs, financial accounts, and driver's licenses. Under most data breach laws, names and addresses are considered "public directory information" (PII), which carries lower notification requirements. However, privacy experts agree that your physical address is indeed sensitive in terms of personal safety.   

I used DoorDash years ago but deleted the app. Am I affected?

Yes, potentially. The lawsuit alleges that DoorDash retained data from former customers that it should have deleted. If your data was still in their "Customer Support" archives, it may have been compromised even if your account was inactive.