What Happened in the DoorDash Security Breach?

DoorDash, the popular food delivery app, DoorDash disclosed in mid-November that unauthorized actors breached their internal systems on October 25. The breach occurred shortly after a company employee fell victim to a social engineering attack. The breach affects a mixture of customers, drivers, and merchants across the United States, Canada and other countries. While the company has not revealed the exact number of affected individuals, estimates suggest millions may be impacted. Compromised information included names, email addresses, phone numbers and physical addresses used for delivery. DoorDash states that no financial information, card or government-issued ID numbers were accessed by the attacker. This marks DoorDash’s third known cybersecurity incident in six years.

What Actions Were Taken as a Result of the DoorDash Breach?

The DoorDash security team was able to terminate the unauthorized access shortly after its detection, and an investigation was launched. Law enforcement was notified, and external security teams were brought in to assist in the investigation. The company began notifying customers of the incident on November 13.

What Can Organizations Do to Prevent A Breach Like This?

DoorDash confirmed the incident stemmed from a social engineering attack targeting an employee but did not offer any specifics.  Below are some of the likely methods that could have been used in the attack:

  • Phishing Emails: An attacker could have sent an email to a DoorDash employee posing as IT support, HR personnel, or a known third-party vendor. The email would then contain a malicious link to a fake login page or malware-infected attachment.
  • Phone‑based pretexting: An attacker calls the employee pretending to be corporate IT, a security contractor, or a vendor doing urgent maintenance. They will often know the employee’s name and role already. The attacker then makes some type of request that grants them access to a targeted asset.
  • MFA (Multifactor Authorization) Fatigue Attack: This method aims to bypass a company’s MFA system by sending repeated MFA push notification to a specific employee who then approves the request to make them stop.

 

Modern email and web filtering systems that are regularly updated can play a large role in protecting against social engineering attacks. Beyond these foundational defenses, consider implementing the following measures:

  • Provide perpetual training that teaches staff how to spot phishing, fake login pages, unusual payment requests, and “urgent” IT/security messages.
  • Verify requests out‑of‑band (OOB) by requiring employees to confirm any sensitive request (password reset, wire transfer, gift cards, etc.) using a known phone number, chat, or ticket instead of simply replying to the original email or text.
  • Limit access and privileges by enforcing the principle of least privilege (PoLP) so a single compromised account can’t reach everything across your network.

 

Review Your Incident Response and Security Posture