DoorDash Just Leaked Your Data. Here’s What Actually Got Stolen

DoorDash sent breach notifications this week after hackers grabbed customer contact information. The company spotted the intrusion on October 25, but kept quiet for weeks.

What got exposed? Names, phone numbers, email addresses, and postal addresses for an undisclosed number of users. Plus, the breach hit customers, merchants, and employees across multiple countries.

Here’s the concerning part. DoorDash claims “no sensitive information was accessed” in the same breath as admitting attackers stole all your contact details. That’s some creative PR spin right there.

One Employee Fell for a Scam

The entire breach traces back to social engineering. An attacker tricked a DoorDash employee into granting system access. Classic phishing attack.

We don’t know the exact method. Could’ve been a fake IT email. Maybe a phone call impersonating support. Or a convincing text message claiming to be from management.

But the result stays the same. One employee’s mistake exposed data for potentially millions of users. That’s the scary reality of social engineering attacks.

Moreover, DoorDash won’t say how many people got affected. The notifications went primarily to Canadian users. However, an undated security advisory on their site mentions Social Security Numbers, suggesting US citizens also got hit.

SSNs May Have Been Compromised

Here’s where it gets worse. That security advisory buried on DoorDash’s website mentions Social Security Numbers in the breach scope.

The company hasn’t confirmed SSN theft in the email notifications. But they also haven’t denied it. The advisory just sits there, mentioning SSNs alongside other data types.

So did attackers steal SSNs or not? DoorDash won’t say clearly. That ambiguity leaves affected users stuck wondering if identity theft risks are real.

Plus, the company isn’t offering credit monitoring services. That’s standard practice when SSNs get exposed. Yet DoorDash skipped this step entirely.

No Protection Offered to Victims

Most data breach victims receive free credit monitoring for 12-24 months. Banks offer it. Healthcare providers offer it. Even small businesses usually provide it.

DoorDash? Nothing.

Instead, they deployed “enhancements to our security systems” and provided “additional training for our employees.” Great for preventing future breaches. Completely useless for people whose data already got stolen.

The company also hired a “leading cybersecurity forensic firm” and notified law enforcement. Again, those steps protect DoorDash. They don’t protect victims from identity theft or phishing attacks.

Phishing Attacks Will Follow

Expect a flood of fake DoorDash emails soon. Cybercriminals always capitalize on data breaches like this.

The attackers now have your name, email, phone number, and address. That’s everything needed to craft convincing phishing messages. They’ll probably send emails claiming to be from DoorDash about “urgent security updates” or “account verification required.”

Here’s what to watch for. Any message asking you to click links, verify account details, or download attachments should raise red flags. Legitimate breach notifications from DoorDash won’t request sensitive information via email.

Also, be wary of phone calls. Scammers could use your stolen phone number to call and impersonate DoorDash support. They might claim your account got compromised and needs immediate action.

Furthermore, watch your banking apps and social media accounts. Attackers might try using your stolen information to reset passwords or access other services. Enable two-factor authentication everywhere if you haven’t already.

What DoorDash Should Have Done

Let’s be clear about what’s missing here. First, timely notification. The breach happened October 25. We’re hearing about it weeks later. That delay gave attackers time to exploit stolen data before victims could protect themselves.

Second, credit monitoring for affected users. Especially if SSNs got compromised. This should’ve been automatic, not optional.

Third, clear communication about what data actually got stolen. The vague language around “sensitive information” and the mysterious SSN mention creates confusion. Victims deserve straightforward answers about their risk level.

Finally, proactive guidance. Beyond generic warnings about phishing, DoorDash should provide specific steps users can take to protect themselves. Change these passwords. Monitor these accounts. Watch for these warning signs.

The Real Problem With Social Engineering

This breach proves something important. Even big tech companies with security teams remain vulnerable to social engineering attacks.

You can deploy the best firewalls, encryption, and monitoring tools available. But if an employee falls for a convincing scam, attackers get inside anyway. That’s why social engineering works so well.

The fix requires constant training, but not the boring compliance kind. Employees need realistic simulations of current attack methods. They need to practice spotting fake emails under time pressure. They need permission to question suspicious requests without fear of slowing down work.

DoorDash says they provided “additional training” after this incident. Better late than never. But that training should’ve prevented the breach in the first place.

What You Should Do Now

If you use DoorDash, assume your data got compromised even if you didn’t receive a notification. The company hasn’t disclosed the full scope of affected users.

Change your DoorDash password immediately. Use a unique password you don’t use anywhere else. Consider using a password manager to generate and store complex passwords.

Then enable two-factor authentication on your DoorDash account and any other services using the same email address. That adds a second layer of protection even if attackers have your password.

Watch your email, phone, and postal mail for suspicious messages. Don’t click links in unexpected emails claiming to be from DoorDash. Instead, log in directly through their official app or website.

Finally, monitor your financial accounts and credit reports for unusual activity. Even without confirmed SSN theft, the combination of name, address, phone, and email enables various identity theft schemes.

DoorDash dropped the ball on protecting user data and responding to this breach. Don’t wait for them to offer help. Take action yourself to limit the damage.