DoorDash Breach Incident Score: Analysis & Impact (DOO3603136112725)

In this Rankiteo incident briefing, we review the DoorDash breach identified under incident ID DOO3603136112725.

The analysis begins with a detailed overview of DoorDash's information like the linkedin page: https://www.linkedin.com/company/doordash-for-business, the number of followers: 1424762, the industry type: Software Development and the number of employees: 74124 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 766 and after the incident was 766 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on DoorDash and their customers.

On 20 October 2025, DoorDash disclosed Data Breach issues under the banner "DoorDash Data Breach via Social Engineering (October 2025)".

DoorDash, the food delivery app, suffered a major data breach in October 2025 due to social engineering, where a scammer convinced an employee to grant access to company data.

The disruption is felt across the environment, and exposing Names, Addresses and Phone Numbers, with nearly Millions records at risk.

In response, teams activated the incident response plan, and began remediation that includes Customer notification emails, Advisory for credit freezes/monitoring and Password reset and 2FA recommendations, and stakeholders are being briefed through Email notifications, Toll-free helpline (1-800-833-8030, ref: B155060) and Public advisory on phishing risks.

The case underscores how Ongoing (no public updates on root cause analysis), teams are taking away lessons such as Social engineering remains a critical vulnerability; employee training is essential, Delayed breach notifications erode customer trust and increase risks (e.g., phishing) and Proactive credit monitoring/freezes should be recommended to affected users, and recommending next steps like Implement stricter access controls and social engineering awareness programs, Accelerate breach disclosure timelines to comply with best practices (e.g., GDPR’s 72-hour rule) and Offer free credit monitoring services to affected customers, with advisories going out to stakeholders covering Customers advised to freeze credit (Equifax, TransUnion, Experian links provided), Warning against phishing calls/emails impersonating DoorDash and Recommendation to change passwords and enable 2FA.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (85%), supported by evidence indicating social engineering attack where a scammer manipulated an employee into granting unauthorized access and Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), supported by evidence indicating employee to grant access to company systems via social engineering. Under the Credential Access tactic, the analysis identified Steal Web Session Cookie (T1539) with moderate to high confidence (70%), supported by evidence indicating no direct evidence, but implied by unauthorized access to company systems via manipulated employee. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating exposed personal information of millions of customers, including names, addresses, phone numbers, and email addresses. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), supported by evidence indicating data exfiltration such as Yes (method unspecified, but PII was stolen). Under the Impact tactic, the analysis identified Phishing for Information: Spearphishing Service (T1598.003) with high confidence (90%), supported by evidence indicating stolen data heightens risks of spear-phishing attacks using leaked PII and Data Destruction (T1485) with lower confidence (10%), supported by evidence indicating no direct evidence, but implied by systemic weaknesses (low confidence). Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), supported by evidence indicating employee manipulated into granting unauthorized access (abuse of legitimate credentials) and Impair Defenses: Disable or Modify Tools (T1562.001) with lower confidence (30%), supported by evidence indicating no direct evidence, but implied by delayed detection (19-day notification gap). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.