Cyber Incident Victim: DoorDash
Date:
Sep 2018
Location:
United States of America
Summary
Customers of a food delivery service reported unauthorized account access, with hackers altering email addresses and charging fraudulent food deliveries, preventing victims from regaining access without customer service intervention. The company attributed the incidents to credential stuffing, denying any internal data breach, though it could not explain compromised accounts with unique, password manager-generated credentials. Security practices were criticized for permitting weak passwords and lacking two-factor authentication or other countermeasures against credential stuffing attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late September 2018, DoorDash customers began reporting unauthorized access to their accounts through social media platforms, primarily Twitter and Reddit. Dozens of users documented instances where attackers altered account email addresses, preventing legitimate owners from regaining access without customer service intervention. Fraudulent food delivery charges appeared on compromised accounts, with some victims discovering the activity only after credit card companies flagged suspicious transactions. TechCrunch verified these reports by contacting affected individuals, finding that four victims had reused their DoorDash passwords on other sites while three were uncertain about password practices. Notably, six confirmed using passwords unique to DoorDash, including three who employed complex credentials generated by password managers. Customers attempting to resolve issues reported delayed or nonexistent responses from DoorDash support, exacerbating their inability to mitigate ongoing fraudulent charges.
DoorDash publicly denied experiencing a data breach, attributing the incidents to credential stuffing attacks where attackers reused credentials leaked from other platforms. Spokesperson Becky Sosnov stated internal investigations found no evidence of system compromise, maintaining that fraudulent activity stemmed exclusively from reused credentials. However, the company could not explain how accounts with unique, manager-generated passwords were compromised when questioned by TechCrunch. Security practices came under scrutiny when reporters discovered DoorDash permitted weak passwords like "password" or "12345678," despite these being consistently ranked among the most vulnerable options. The company declined to comment on implementing additional security measures such as two-factor authentication or enhancing password complexity requirements. This stance generated skepticism among affected users, with one noting the improbability of simultaneous, high-value account takeovers occurring randomly across numerous customers.