DoorDash, the popular food delivery service, has confirmed a data breach that exposed personal information belonging to an unspecified number of its customers, delivery workers, and merchants. The compromised data includes names, email addresses, phone numbers, and physical addresses.
Despite the theft of phone numbers and physical addresses, DoorDash stated that "no sensitive information" was accessed by the unauthorized third party. The company also indicated that there is currently no evidence of the data being misused for fraud or identity theft.
The breach impacted a mix of users across its platform. A company spokesperson, Michelle Babin, declined to provide an exact number of affected individuals, instead reiterating details from a blog post about the incident.
The incident originated from a social engineering attack where an employee was tricked, granting hackers unauthorized access to DoorDash's systems. Upon identifying the breach, DoorDash immediately shut down the hackers' access, launched an investigation, and reported the incident to law enforcement, according to a post published by the company.
DoorDash reassured users that "Social Security numbers, other government-issued identification numbers, driver’s license information, or bank or payment card information" were not stolen as part of the breach. The company has since notified all impacted users.
