DoorDash Breach Exposed Phone Numbers and Addresses

Gregory Zuckerman
By Gregory Zuckerman
Technology
7 Min Read

Restaurant and food delivery service DoorDash confirmed a data breach that could have affected 4.9 million customers, drivers, and merchants on Thursday after it was alerted to “unusual activity” from a third-party service provider.

The tech company disclosed in its blog that the breach took place when an attacker used credentials obtained through a third-party service provider two weeks before the incident to gain access to certain DoorDash user data, including names, email addresses, delivery addresses (phone numbers included), order history hashes, and the last four digits of payment cards for thousands of Dashers — drivers and couriers who deliver orders. The company said this data was accessed by unauthorized third parties.

Table of Contents
A 16:9 aspect ratio image showing four mobile phone screens displaying the DoorDash app. The first two screens show the home page and a grocery store page, while the last two screens show a restaurants menu and an open cart.

The company said it had blocked unauthorized access, alerted law enforcement, and was beginning the process of notifying affected accounts across its customer, delivery worker, and merchant communities.

Though the company stressed that there is no proof of fraud or identity theft as a consequence of the incident, one should be wary of targeted phishing and impersonation campaigns made more possible by leaked phone numbers and addresses. DoorDash said that sensitive information such as Social Security numbers, other government-issued IDs, driver’s license numbers, and bank or payment card numbers were not accessed.

What information was exposed in the DoorDash data breach

DoorDash said the data that was accessed included names, email addresses, phone numbers, and physical addresses. That array can be particularly useful to scammers, who are able to customize lures and spoof legitimacy — for example, citing a recent order or known delivery address.

Importantly, the company added that financial account numbers and full payment card details were not included in the breach. Nonetheless, contact numbers associated with a delivery platform can be leveraged to credibly impersonate support staff or retail merchants if the social engineering is successful against consumers.

How the intrusion occurred, according to DoorDash

The attackers used social engineering to fool an employee into turning over the key, according to DoorDash, then entered and exited undetected until the company learned of it and blocked access. Social engineering is still the leading cause of a breach: The most recent Data Breach Investigations Report from Verizon found that a person was involved in 74% of breaches, highlighting how attackers are increasingly able to circumvent technical controls through people manipulation.

DoorDash said it was looking into the extent of the breach and had sought law enforcement’s help. The company did not say how many users might have been affected. DoorDash has previously experienced exposure through a compromised third-party vendor, which demonstrates that these companies are vulnerable to both direct and supply chain vector attacks.

Four smartphones displaying the DoorDash app interface, with the DASH FORWARD logo in the upper right corner, set against an orange gradient background.

Why phone numbers and physical addresses matter to attackers

Phone numbers and addresses are a powerful combination for criminals. Look for a surge in smishing (text message phishing) and vishing (voice scams) purporting to be from the delivery service, merchant partners, or couriers trying to rectify an alleged delivery issue. Among the most common ruses: fake refund links, password resets, or urgent pleas to “verify” payment information.

Attackers can also use addresses to craft convincing messages about recent or upcoming deliveries, and in more rare instances, attempt SIM swap fraud to block one-time passcodes sent to the compromised number. The FBI’s Internet Crime Complaint Center is still registering all-time losses for online fraud, and IBM’s most recent Cost of a Data Breach report sets the global average breach cost at just over $4.88 million, indicative of the ripple effects that tend to spread out from original data exposure.

Who is affected and how official notices will be delivered

DoorDash said that a combination of customers, Dashers, and merchants were affected. Those affected should keep an eye out for direct notifications from the company (often these are sent in-app or via email). Genuine communications never request passwords or full payment card numbers, and you should be wary of similar-looking domains, unsolicited attachments, or links that prompt for login details immediately.

What users can do now to protect accounts and devices

Be wary of texts, calls, or emails regarding anything to do with the breach that ask you to click on links, including bulk orders for medical equipment (navigate directly to the app or website instead). Any login attempt or password reset notice that shows up as unexpected can be treated as suspect, and you should check recent activity in your account settings.

Secure your email account, which serves as the digital lifeline to reset so many other accounts you might lose access to, with both a strong, unique password and app-based multifactor authentication. Consider avoiding SMS-based codes where possible, as numbers can be targeted. Check saved payment methods, change passwords you may have reused on other sites, and turn on purchase or login notifications so you can spot misuse early.

Security and regulatory outlook following the DoorDash breach

Consumer apps that manage logistics for delivery are still fair game because they have a host of actual location information and contact lists. Across agencies and organizations, regulations and state breach-notification laws generally call for timely disclosure and user notification. Security agencies such as CISA continue to insist that organizations ensure their initial defenses hold strong against social engineering with phishing-resistant MFA, least-privilege access, and ongoing employee education.

For DoorDash customers, the immediate question is one of vigilance. Even when financial information hasn’t been lifted, contact details in themselves can be the opening move of a longer fraud play. Be skeptical of unsolicited communications, confirm through official means, and accept that legible, well-constructed messages mentioning your address or order history may not be what they purport to be.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News