INSUBCONTINENT EXCLUSIVE:
Food delivery startup DoorDash has received dozens of complaints from customers who say their accounts have been hacked.
Dozens of people
have tweeted at @DoorDash with complaints that their accounts had been improperly accessed and had fraudulent food deliveries charged to
In many cases, the hackers changed their email addresses so that the user could not regain access to their account until they contacted
Yet, many said that they never got a response from DoorDash, or if they did, there was no resolution.
Several Reddit threadsalso point to
similar complaints.
DoorDash is now a $4 billion company after raising $250 million last month, and serves more than 1,000 cities across the
United States and Canada.
After receiving a tip, TechCrunch contacted some of the affected customers.
Four people we spoke to who had
tweeted or commented that their accounts had been hacked said that they had used their DoorDash password on othersites
Three people said they weren''t sure if they used their DoorDash password elsewhere.
But six people we spoke to said that their password was
unique to DoorDash, and three confirmed they used a complicated password generated by a password manager.
DoorDash said that there has been
no data breach and that the likely culprit was credential stuffing, in which hackers take lists of stolen usernames and passwords and try
them on other sites that may use the same credentials.
Yet, when asked, DoorDash could not explain how six accounts with unique passwords
were breached.
We do not have any information to suggest that DoorDash has suffered a data breach,& saidspokesperson Becky Sosnov in an
&To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent
activity reported by consumers resulted from credential stuffing.
The victims that we spoke to said they used either the app or the website,
Some were only alerted when their credit cards contacted them about possible fraud.
Simply makes no sense that so many people randomly had
their accounts infiltrated for so much money at the same time,& said one victim.
If, as DoorDash claims, credential stuffing is the culprit,
we asked if the company would improve its password policy, which currently only requires a minimum of eight characters
We found in our testing that a new user could enter &password& or &12345678& as their password — which have for years ranked in the top
five worst passwords.
The company also would not say if it plans to roll out countermeasures to prevent credential stuffing, like two-factor
authentication.
DoorDash raises another $250M, nearly triples valuation to $4B