← Back to incidents

Incident · Unknown

DoorDash, Inc. · DASH

Consumer DiscretionaryUSAIncident October 1, 2025Filed February 18, 2026
Impact score
Business continuity
Insurance involved
Not disclosed
Filing
10-K · 10-K

Breach taxonomy

UnknownData ExfilAccount TakeoverPhishingPersonal DataInfo Privacy Loss

Summary

In October 2025, DoorDash identified a cybersecurity incident in which an employee was targeted by a social engineering scheme that enabled an unauthorized third party to gain access to certain internal systems and obtain limited contact information for a mix of users, including merchants, consumers, and Dashers. DoorDash devoted significant resources to investigation, remediation, and notification. The company determined the incident did not have a material impact on its business, results of operations, or financial condition. Disclosed in annual 10-K; company determined the incident was not material.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to a specific actor category -> UNKNOWN.

MethodsData ExfilAccount TakeoverPhishing

An employee was targeted by a social engineering scheme (PHISHING) that enabled the attacker to take over access to internal systems (ACCOUNT-TAKEOVER) and extract user contact information (DATA-EXFIL).

AssetsPersonal Data

Filing states 'limited contact information relating to a mix of users, including merchants, consumers, and Dashers' was obtained -> PERSONAL-DATA.

EffectsInfo Privacy Loss

Contact information for platform users was obtained by an unauthorized third party -> INFO-PRIVACY-LOSS.

Impact

Limited contact information only, no financial or operational impact, company explicitly determined the incident was not material -> score 1.

InsuranceNot disclosed

Filing makes no mention of insurance in connection with this incident -> null.

Read the original SEC filing excerpt
in October 2025, we identified and disclosed a cybersecurity incident in which an employee was the target of a social engineering scheme that enabled an unauthorized third party to gain access to certain internal systems and obtain limited contact information relating to a mix of users, including merchants, consumers, and Dashers that use our platform. Although we determined that this incident did not have a material impact on our business, results of operations, or financial condition, it required us to devote significant time and resources to investigation, remediation, and notification, and underscores the ongoing risks posed by these and other schemes.
View SEC filingBack to database

More in Consumer Discretionary

Unknown · March 28, 2026

Hasbro, Inc.

On March 28, 2026, Hasbro identified unauthorized access to its corporate network. The company activated its security incident response prot

Unknown · March 19, 2026

RCI Hospitality Holdings, Inc.

RCI Internet Services, a subsidiary of RCI Hospitality Holdings, discovered on March 23, 2026 a cybersecurity incident that began on March 1

Priv Insider · November 18, 2025

Coupang, Inc.

On November 18, 2025, Coupang Corp. (a Korean subsidiary of Coupang, Inc.) detected a cybersecurity incident in which a former employee may

Cyber Criminals · October 15, 2025

Jewett-Cameron Trading Co. Ltd.

On October 15, 2025, Jewett-Cameron Trading Co. Ltd. discovered a threat actor had gained unauthorized access to its IT environment, deployi