DoorDash has confirmed a new data breach after an unauthorized party accessed user information in October 2025. The company began notifying affected customers, Dashers, and merchants across the U.S., Canada, Australia, and New Zealand.
Below is a clear breakdown of what was leaked, how worried you should be if you're affected, and the steps you need to take next.
1. What Datapoints Were Leaked?
According to DoorDash’s incident notice, an unauthorized actor gained access to certain contact and personal details. While the exact data varied by individual, the following information may have been exposed:
DoorDash confirmed that this information was indeed accessed by the intruder.
The breach was traced back to a social engineering attack targeting a DoorDash employee. Once the company realized what happened, it cut off the unauthorized access, launched an internal investigation, and notified law enforcement.
Although DoorDash has not disclosed how many people were impacted, the incident affected a mix of customers, Dashers, and merchants. This is DoorDash’s third major security incident, following previous breaches in 2019 and 2022.
Notably, some email notices also included a French translation, suggesting heavy impact among Canadian users. However, a related advisory on DoorDash’s website references U.S.-specific data types—indicating the incident may extend beyond Canada, even though Social Security Numbers and Social Insurance Numbers were not accessed.
2. Should You Be Worried?
If your data was part of this breach, here’s what it means for you:
Moderate to High Risk of Targeted Scams
While the breach did not include passwords or financial data, the exposed contact information is highly valuable for attackers. This type of data is commonly used for:
- Fraudulent DoorDash-themed messages
- Social engineering attempts targeting your other accounts
Users have already expressed concern online, especially about the 19-day delay in notifying people, which may have increased risk exposure.
Long-Term Exposure
Names, addresses, phone numbers, and emails are long-lasting identifiers. Once leaked, these details can circulate on dark web databases for years, making future scams more likely.
Regulatory Concerns
Some Canadian users have raised legal questions about the delay in notification, stating it may violate local breach-disclosure laws.
In short:
Yes, you should take this breach seriously. Even without financial data involved, this type of personal information can be weaponized against you.
3. What Should Be Your Next Steps?
If you received a notification from DoorDash—or even if you simply have an account—take the following precautions immediately:
1. Watch for Phishing Attempts
Expect an increase in emails or texts pretending to be from DoorDash.
- Don’t click suspicious links.
- Don’t download attachments.
- Don’t enter login or payment details on unfamiliar sites.
DoorDash has specifically warned users to stay cautious.
2. Secure Your DoorDash and Related Accounts
Even though passwords weren’t leaked:
- Change your DoorDash password.
- Enable 2-factor authentication everywhere possible.
- Make sure you’re not using the same password across other platforms.
Breach-linked phishing campaigns often aim to obtain login credentials after the fact.
3. Monitor Financial and Delivery Accounts
While payment data wasn't accessed, attackers often use leaked contact info to try:
- Fraudulent order attempts
Review your recent activity across payment apps and delivery platforms.
4. Reduce Your Exposure Going Forward
Proactive privacy steps can help limit damage from future incidents:
- Use email masking or forwarding tools for online accounts.
- Avoid using your primary phone number for non-essential signups.
- Remove your information from data broker sites if possible.
5. Contact DoorDash for Support
DoorDash has set up a support line for affected users:
📞 Toll-free number: +1-833-918-8030
Reference code: B155060
If you want clarification about whether your region or account was affected, this is the official channel.
Cloaked FAQs Accordion
Frequently Asked Questions
Cloaked is a privacy-first tool that lets you create secure aliases for emails, phone numbers, and more—shielding your real identity online. With
Cloaked, your personal info stays protected from breaches, scams, and tracking.
Look for urgent messages, unfamiliar links, or strange sender addresses. With
Cloaked aliases, it’s easier to identify which site may have leaked your contact details and ignore suspicious communications.
Yes. If a Cloaked alias starts receiving spam, you can pause, delete, or rotate it. This eliminates the need to change your real email or phone number.
They do different jobs. VPNs protect browsing. Password managers secure logins.
Cloaked protects your real identity at the contact level—emails, phones, and personal identifiers.
Definitely. Use
Cloaked aliases to avoid spam and limit exposure to companies that may mishandle or leak your data.
