Food delivery operator DoorDash has been hit by another data breach, with millions of users across the US, Canada, Australia, and New Zealand potentially impacted.

The company notified customers last week that personal information had been compromised after a DoorDash employee fell victim to a social engineering scam, giving an outside actor access to internal systems. The stolen data included first and last names, physical addresses, phone numbers, and email addresses for a still-undisclosed number of users.

In an email to customers, DoorDash said that on Wednesday, its security team identified a cybersecurity incident in which an unauthorized third party gained access to and took certain user contact information. The company added that the type of data taken varied by individual, which has created some confusion among customers about what may have been exposed in their case.

DoorDash emphasized that no sensitive information had been accessed, stating that it did not indicate that the stolen contact information had been used for fraudulent purposes or identity theft.

However, several affected users pushed back on this characterization. For example, cybersecurity professional Kostas Tsalas said on X that the stolen information should be considered sensitive, as this combination gives criminals multiple attack paths.

With enough basic personal details, scammers can craft convincing phishing attempts, try account recovery routes on other services, or simply increase the volume of targeted spam and scam efforts.

Social engineering is a growing tool for scammers as it relies on human error, rather than technical exploits. These scams typically work by hackers impersonating employees, vendors, or customers to trick staff into revealing internal information or granting access to systems. Hackers typically have information on company processes, allowing them to create believable pretexts to slip past normal security controls.

DoorDash users stay on high alert

DoorDash users have also criticised the company for waiting 19 days before notifying anyone of the breach. During that window, exposed customers were left unaware that scammers may have obtained their contact information, giving attackers a potential early advantage.

In its email, DoorDash warned customers to stay alert for unsolicited messages pretending to be from the company, and urged users not to click on any links or attachments sent to them unexpectedly.

The breach comes at a time when phishing scams and data theft operations are surging globally. Only last week, Google filed a high-profile lawsuit against the creators of a Chinese-based scam marketplace accused of orchestrating more than one billion dollars in theft. That case highlighted not only the scale of modern cybercrime operations but also the increasingly sophisticated services on offer.

Social engineering gets another company

DoorDash now joins a growing list of major organisations compromised through social engineering. In August, HR and payroll platform Workday disclosed a similar incident that allowed attackers to access limited customer data.

According to Palo Alto Networks, social engineering has rapidly become the top cybersecurity threat for companies, accounting for 36 percent of all intrusions from May 2024 to May 2025 and surpassing both malware incidents and software vulnerability exploits.

An in-depth look at Prosper’s data breach impacting 17 million users shows how exposed personal details can be weaponized for phishing, account takeover, and long-tail identity fraud.