DoorDash faces new challenges after disclosing a cybersecurity incident and separately agreeing to a legal settlement with the City of Chicago over longstanding allegations of deceptive business practices.
On November 13, DoorDash confirmed in a notice to users that it experienced a data breach caused by a social engineering attack targeting an employee.
The breach, which occurred on October 25, allowed an unauthorized person to access the personal information of certain users, including Dashers and merchants, such as names, email addresses, phone numbers, and physical addresses.
DoorDash stated that it revoked the access immediately and notified the affected users. Law enforcement is now investigating the incident.
ADoorDash data breach comes as its stock is down 20% this month.
Image source: Shutterstock
DoorDash reacts to data breach
DoorDash has emphasized that no sensitive data, such as payment information, government IDs, or Social Security numbers, were exposed by the data breach, and said there is no “indication the data has been misused for fraud or identity theft at this time.”
The breach triggered backlash online, with Reddit users criticizing DoorDash for downplaying names and home addresses as “non-sensitive” information.
Related: DoorDash’s 2026 plans rattle investors after earnings report
The company said it is reinforcing employee training and strengthening authentication protocols to prevent future incidents.
The incident comes during a period of heightened stock market volatility. While DoorDash’s stock has performed well year to date, up 23.8%, it is down 21% this month and 16% over the quarter, reflecting investor uncertainty following its Q3 reports earlier this month.
Legal scrutiny adds to DoorDash’s challenges
On November 14, DoorDash agreed to pay $18 million to settle a 2021 lawsuit brought by the city of Chicago, alleging hidden fees, deceptive tipping practices, and unauthorized restaurant listings during the pandemic.
The settlement resolves claims that DoorDash misled diners with hidden fees, used tips to subsidize its own costs, and failed to inform customers that the complete tip does not reach the Dasher.
More Retail Stocks:
- Bank of America revamps Amazon stock price after earnings
- Children’s retailer closing 150 stores, slashes jobs
- Dollar Tree CEO offers customers a pricing promise
- Amazon just cracked the last mile: what it means for global retail
DoorDash stated that this settlement “isn’t an admission of wrongdoing and the allegations in this lawsuit focus on business practices that no longer exist.”
According to the terms of the agreement:
- DoorDash will pay $4 million in credits to eligible Chicago users beginning January 28, 2026.
- It will pay $3.25 million to restaurants listed without consent and currently not on the platform.
- $5.8 million will be paid in delivery commission and market credits to eligible restaurants.
- $500,000 will be for the drivers delivering food orders in Chicago as of September 2019.
- $4.5 million will be paid to the City of Chicago to cover the cost of the lawsuit.
The lawsuit stemmed from a broader city investigation into third-party meal delivery companies, implicating DoorDash and its rival, Grubhub.
This Grubhub lawsuit is still pending.