DoorDash Discloses Another Breach via Third-Party Vendor

DoorDash Confirms Data Breach Stemming from Compromised Third-Party Service Provider

MEDIUM
November 29, 2025
5m read
Data BreachSupply Chain AttackCloud Security

Related Entities

Other

DoorDash

MITRE ATT&CK Techniques

T1199Initial Access

Trusted Relationship

T1078Defense Evasion

Valid Accounts

Full Report

Executive Summary

On November 27, 2025, food delivery platform DoorDash confirmed it had sustained another data breach. The incident originated not from a direct attack on DoorDash's own systems, but from a security compromise at one of its third-party vendors. The unauthorized access at the vendor allowed attackers to view and potentially exfiltrate data belonging to DoorDash customers and drivers ('Dashers'). This event is the latest in a pattern of supply-chain security failures for the company, renewing scrutiny of its vendor risk management practices and the overall security of its extensive partner ecosystem.

Threat Overview

The breach exemplifies a classic supply-chain attack, where adversaries target a weaker link in the chain—in this case, a third-party service provider—to gain access to the data of a larger, more valuable target. While DoorDash has not named the compromised vendor, such partners often provide services like customer support, communications (e.g., SMS notifications), or marketing, and are frequently granted API access or credentials to the primary company's systems. By compromising the vendor, attackers effectively inherited their trusted access to DoorDash's data.

Technical Analysis

The primary MITRE ATT&CK technique at play here is T1199 - Trusted Relationship. The attackers exploited the implicit trust and established access between DoorDash and its vendor. The attack likely unfolded as follows:

  1. Vendor Compromise: The attackers first breached the third-party vendor, possibly through phishing, malware, or exploiting a vulnerability in the vendor's own systems.
  2. Abuse of Trusted Access: Once inside the vendor's network, the attackers identified and stole the credentials, API keys, or access tokens that the vendor used to connect to DoorDash's environment.
  3. Data Access and Exfiltration: Using the vendor's legitimate credentials, the attackers authenticated to DoorDash's systems and accessed customer and driver data. This activity may appear legitimate to basic security monitoring, as it originates from a 'trusted' source.

Impact Assessment

  • Recurring Security Failures: This incident further damages DoorDash's reputation for security, as it follows previous breaches, including a significant 2019 breach and another third-party incident in 2022. This pattern suggests a systemic issue in its vendor security program.
  • Data Exposure: The breach exposed an unspecified amount of customer and driver information, putting them at risk of phishing, scams, and identity theft.
  • Regulatory Scrutiny: As a company handling large volumes of personal data, DoorDash faces potential fines and regulatory action under privacy laws like the CCPA.

Detection & Response

  • API Monitoring: Organizations must implement robust monitoring and anomaly detection for all API traffic, especially from third-party integrations. Alerts should be configured for unusual data query volumes, access to new or sensitive data endpoints, or API usage outside of normal business hours.
  • Third-Party Account Auditing: All service accounts and credentials used by vendors should be regularly audited. Implement Resource Access Pattern Analysis to baseline the normal behavior of these accounts and detect deviations that could indicate a compromise.
  • Contractual Obligations: Incident response plans should include clear contractual obligations for vendors to report security incidents promptly.

Mitigation

  • Vendor Risk Management: Implement a comprehensive third-party risk management (TPRM) program that includes rigorous security assessments before onboarding vendors and periodic audits thereafter. This is a critical Pre-compromise defense.
  • Principle of Least Privilege for APIs: Grant vendors the absolute minimum level of access required for their function. API keys should be scoped to specific actions (read-only vs. write) and data fields. Avoid granting broad, permissive access.
  • Credential Rotation: Enforce periodic rotation of all API keys and service account credentials shared with third parties.
  • Network Segmentation: If vendors require network access, they should be placed in a highly restricted, isolated network segment with strict traffic filtering rules, a form of Network Isolation.

Timeline of Events

1
November 27, 2025
DoorDash discloses the data breach caused by a third-party vendor.
2
November 29, 2025
This article was published

MITRE ATT&CK Mitigations

User Account Management

M1018enterprise

Strictly manage the lifecycle and permissions of all third-party service accounts, ensuring they adhere to the principle of least privilege.

Limit Access to Resource Over Network

M1035enterprise

Restrict vendor access to only the specific data and API endpoints required for their function, and deny all other access by default.

Mapped D3FEND Techniques:

D3-NI

Audit

M1047enterprise

Continuously audit the activity of all third-party accounts and API keys to detect anomalous behavior that could indicate a compromise.

D3FEND Defensive Countermeasures

Resource Access Pattern Analysis

D3-RAPAMaps to MITREM1040
D3FEND

To detect the abuse of third-party vendor credentials, DoorDash should implement continuous analysis of resource access patterns for all service accounts and API keys. By establishing a baseline of normal activity—what data is accessed, how much, from where, and when—for each vendor, deviations can be quickly identified. For instance, if a vendor that normally only accesses driver location data suddenly starts querying customer PII, or if its data access volume spikes by 1000%, a high-fidelity alert should be triggered. This behavioral approach is essential for catching attackers who are using legitimate, stolen credentials, as signature-based methods will fail.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

DoorDash must enforce the principle of least privilege for all third-party integrations through strict application configuration hardening. This means that every API key and service account provided to a vendor must be scoped with the minimum possible permissions. For example, if a vendor only needs to send SMS notifications, its API key should only have permission to access the 'send_sms' endpoint and nothing else. It should not be able to read customer data. By configuring these granular permissions at the application layer, the potential impact of a vendor compromise is drastically limited. An attacker who steals the key can only perform the limited functions it was granted, preventing a widespread data breach.

Sources & References

Top Data Breaches of November 2025
Strobes Security (strobes.co) November 28, 2025
Cyber Briefing: 2025-11-28
YouTube (youtube.com) November 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

data breachsupply chain attackdoordashthird party riskapi security

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next