Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

Duke

Blog Incident database Request access

Loading database

Indexing incidents

Fetching SEC-disclosed cyber incidents and Duke's breach taxonomy…

Duke

Blog Incident database Request access

Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

DoorDash, Inc. Unknown (2025) | SEC Cybersecurity Incident | Duke Security

Duke

Blog Incident database Request access

← Back to incidents

Incident · Unknown

DoorDash, Inc. · DASH

Consumer DiscretionaryUSAIncident October 1, 2025Filed February 18, 2026

Impact score

Business continuity

—

Insurance involved

Not disclosed

Filing

10-K · 10-K

Breach taxonomy

UnknownData ExfilAccount TakeoverPhishingPersonal DataInfo Privacy Loss

Summary

In October 2025, DoorDash identified a cybersecurity incident in which an employee was targeted by a social engineering scheme that enabled an unauthorized third party to gain access to certain internal systems and obtain limited contact information for a mix of users, including merchants, consumers, and Dashers. DoorDash devoted significant resources to investigation, remediation, and notification. The company determined the incident did not have a material impact on its business, results of operations, or financial condition. Disclosed in annual 10-K; company determined the incident was not material.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to a specific actor category -> UNKNOWN.

MethodsData ExfilAccount TakeoverPhishing

An employee was targeted by a social engineering scheme (PHISHING) that enabled the attacker to take over access to internal systems (ACCOUNT-TAKEOVER) and extract user contact information (DATA-EXFIL).

AssetsPersonal Data

Filing states 'limited contact information relating to a mix of users, including merchants, consumers, and Dashers' was obtained -> PERSONAL-DATA.

EffectsInfo Privacy Loss

Contact information for platform users was obtained by an unauthorized third party -> INFO-PRIVACY-LOSS.

Impact

Limited contact information only, no financial or operational impact, company explicitly determined the incident was not material -> score 1.

InsuranceNot disclosed

Filing makes no mention of insurance in connection with this incident -> null.

Read the original SEC filing excerpt

in October 2025, we identified and disclosed a cybersecurity incident in which an employee was the target of a social engineering scheme that enabled an unauthorized third party to gain access to certain internal systems and obtain limited contact information relating to a mix of users, including merchants, consumers, and Dashers that use our platform. Although we determined that this incident did not have a material impact on our business, results of operations, or financial condition, it required us to devote significant time and resources to investigation, remediation, and notification, and underscores the ongoing risks posed by these and other schemes.

View SEC filing Back to database

Get alerts on new incidents

Drop your email and we’ll let you know when fresh SEC disclosures land in the database. No spam.

More in Consumer Discretionary

Unknown · March 28, 2026

Hasbro, Inc.

On March 28, 2026, Hasbro identified unauthorized access to its corporate network. The company activated its security incident response prot…

Unknown · March 19, 2026

RCI Hospitality Holdings, Inc.

RCI Internet Services, a subsidiary of RCI Hospitality Holdings, discovered on March 23, 2026 a cybersecurity incident that began on March 1…

Priv Insider · November 18, 2025

Coupang, Inc.

On November 18, 2025, Coupang Corp. (a Korean subsidiary of Coupang, Inc.) detected a cybersecurity incident in which a former employee may …

Cyber Criminals · October 15, 2025

Jewett-Cameron Trading Co. Ltd.

On October 15, 2025, Jewett-Cameron Trading Co. Ltd. discovered a threat actor had gained unauthorized access to its IT environment, deployi…