According to TechRepublic, DoorDash has disclosed another significant data breach affecting millions of users across the US, Canada, Australia, and New Zealand. The incident occurred when an employee fell victim to a social engineering scam, allowing unauthorized access to internal systems containing customer contact information. Stolen data included first and last names, physical addresses, phone numbers, and email addresses, though DoorDash hasn’t revealed exact numbers affected. The company waited 19 days before notifying customers about the breach that happened in late May. DoorDash claims no sensitive information was accessed and that the stolen data hasn’t been used for fraudulent purposes, but cybersecurity professionals are pushing back on that assessment.
The Social Engineering Reality
Here’s the thing about social engineering attacks – they’re becoming the hacker’s weapon of choice because they bypass all the fancy technical security measures. Basically, instead of trying to crack encryption or find software vulnerabilities, attackers just trick employees into giving them access. They impersonate colleagues, vendors, or even customers using information they’ve gathered about company processes. And it’s working – Palo Alto Networks says social engineering now accounts for 36% of all intrusions, surpassing both malware and software exploits. That’s a massive shift in the threat landscape.
Why Your Contact Info Actually Matters
DoorDash keeps saying no “sensitive” information was stolen, but cybersecurity professional Kostas Tsalas called that out on X. Think about it – with your name, address, phone number, and email, scammers have everything they need for convincing phishing attacks. They can try account recovery on your other services, craft personalized scam messages, or just bombard you with targeted spam. This isn’t just about getting more pizza delivery spam – it’s about creating multiple attack paths into your digital life. When companies downplay this kind of breach, they’re not being entirely honest about the risks.
The 19-Day Notification Problem
Nineteen days. That’s how long DoorDash waited to tell customers their information might be in the wrong hands. During that nearly three-week window, attackers had exclusive access to this data while users remained completely unaware. That delay gives scammers a huge head start for crafting targeted attacks. And this isn’t DoorDash’s first security incident – they’ve had previous breaches, which makes you wonder about their security culture. When companies handling sensitive customer data don’t prioritize rapid breach notification, they’re essentially leaving their users exposed without even warning them to be extra vigilant.
A Growing Threat For Everyone
This DoorDash incident is part of a much larger pattern. Just last week, Google sued creators of a Chinese scam marketplace accused of orchestrating over $1 billion in theft. In August, Workday had a similar social engineering breach. The common thread? Human vulnerability. As technical defenses improve, attackers are increasingly targeting the human element. For businesses relying on technology infrastructure – whether it’s food delivery platforms or industrial panel PC manufacturers securing factory operations – the lesson is clear: employee security training is no longer optional. It’s your first line of defense against these sophisticated social engineering campaigns.
