DoorDash is dealing with its latest security incident after confirming that an attacker accessed personal information belonging to customers, delivery workers and merchants. The company says the breach occurred after an employee was tricked through a social engineering scam that allowed unauthorized access to internal tools.

According to DoorDash, the exposed data includes names, email addresses, phone numbers and delivery addresses for people across the platform. For merchants, some business contact details were also viewed. DoorDash says financial information, Social Security numbers and order history were not accessed. The company says the attacker did not gain access to passwords and that users do not need to change their login credentials unless they want added peace of mind.

This is the third breach DoorDash has disclosed in recent years. Cybersecurity analysts note a rising trend in attacks that target front line employees rather than systems directly. Scammers often impersonate internal staff or trusted vendors to gain access to tools that would otherwise be locked behind security barriers. Several companies across the tech and service industries have reported similar incidents this year.

DoorDash says it has disabled the compromised employee account and is working with law enforcement and external security experts. The company is notifying affected users directly and says it is strengthening internal training and verification procedures. Security researchers point out that delivery platforms hold sensitive information that can be exploited for phishing campaigns, so users should be alert to suspicious messages that reference recent orders, refunds or promotions.

Millions of people use DoorDash every month across the United States and Canada. Data from previous breaches has shown that stolen contact information is often resold to scam operators who use it to launch targeted calls and emails. Consumers should monitor communication channels for anything that asks for payment details or login codes, since legitimate support teams never request that information directly.

DoorDash encourages customers and delivery workers to enable added security tools such as device verification and to review recent account activity for anything that looks out of place. While the company says the attacker did not access financial records, security experts recommend keeping an eye on future messages that appear to come from DoorDash or related brands.

The company has not yet disclosed the total number of people affected, but the scope appears to involve a significant portion of the platform. With holiday delivery season approaching, the timing adds pressure for DoorDash to restore confidence and prevent repeat incidents.