We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected.
Importantly, the phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time.
Because we value the trust our users place in us, we’re sharing an update on what happened and how we’re responding.
DoorDash recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident.
Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack. The unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.
The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies. We understand that law enforcement is aware of this campaign and is actively investigating. We have contacted them to offer our support.
Who was affected?
Our investigation has determined that a small percentage of individuals whose data is maintained by DoorDash was affected in connection with this incident.
What data was accessed?
For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number. For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed. For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address. The information affected for each impacted individual may vary.
What data was not accessed?
Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers.
What are we doing to respond?
Here are the steps we have taken to respond to this incident and help prevent similar events in the future:
- Further enhancing security. While the incident was the result of a phishing attack targeted at a third party, we took action to further enhance DoorDash’s already robust security systems, as well as our third-party vendor’s security systems. We have also shared security alerts with other third-party vendors detailing the specific tactics used and reminded employees and third-party vendors to be on alert for any suspicious activity.
- Working with security experts. We have brought in a leading cybersecurity firm to assist with our ongoing investigation.
- Notifying users and relevant authorities. We are notifying affected individuals whose information DoorDash maintains and relevant data protection authorities, where required.
- Assisting law enforcement. We have proactively contacted law enforcement to assist their investigation. We hope those responsible for this widespread phishing campaign are found and held accountable.
- Preventing future incidents. At DoorDash, a core value is getting 1% better every day. We will continue to work with external experts to further enhance the security of our systems.
We value the trust we’ve built with each and every member of the DoorDash community, and protecting our platform and your personal information is a top priority for DoorDash. We sincerely regret that this attack occurred.
For more information, please see our FAQs page below. If you have any further questions, we have set up a dedicated call center for US and Canadian consumers and Dashers at (833) 559-0221, available Monday to Friday 6am-8pm PST and weekends 8am-5pm PST.
How do I know if I was affected by this issue?
We have notified certain affected DoorDash users where required.
If my information was affected, why didn’t DoorDash notify me directly?
DoorDash has directly notified affected users where required, published information about the incident on our website, and set up a dedicated call center to answer questions from users.
Was my payment card information compromised in connection with this incident?
No. Based on our investigation to date, no sensitive information such as passwords or full payment card or bank account numbers were accessed by the unauthorized party and we have no reason to believe that affected personal information has been misused for fraud or identity theft.
Do I need to do anything to protect my account or information?
No sensitive information was accessed by the unauthorized party and at this time we have no reason to believe that affected personal information has been misused for fraud or identity theft.
It is always a good idea to be cautious of unsolicited communications that ask for your personal information or refer you to a web page asking for personal information, and avoid clicking on links or downloading attachments from suspicious emails.
What is DoorDash doing to prevent this from happening again?
We are working with the third-party vendor targeted by the phishing attack to further enhance its security systems as well as our own. We have engaged a leading cybersecurity expert to provide additional expertise and support.
I am a Wolt customer. Was I affected?
No. Only DoorDash users were affected by this incident.
How can I get more information?
If you would like more information, please visit our Newsroom or contact us via our dedicated call center available in English and French Monday to Friday 6am-8pm PT and weekends 8am-5pm PT at (833) 559-0221.