14 DAY TRIAL // An increasing number of DoorDash customers reported on Twitter and Reddit that their accounts had been hacked into, passwords have been changed, and crooks placed fraudulent orders on their behalf.
After tens if not hundreds of customers saying that attackers were changing their DoorDash e-mails and ordering food using their accounts for the past month, the on-demand restaurant courier service company went to its blog saying that it was all due to a credential stuffing attack.
Credential stuffing attacks are used by threat actors to hack into user accounts with the help of automated credentials injection (username and password pairs).
Usually, the credential database used by crooks to attack a website's user base is obtained either via phishing campaigns or from previous data breaches of other online services.
As detailed in DoorDash's post, the attack was successful despite the fraud detection capabilities put in place by the company.
As claimed by DoorDash their customers' accounts were compromised using a credential stuffing attack
The credential stuffing incident apparently affected only a fraction of one percent of all their customers, and DoorDash's security and fraud detection teams are monitoring and investigating the situation.
According to DoorDash's initial research, after the security incident has been discovered, the accounts of the customers that have been involved have been compromised using passwords stolen in data breaches suffered by other companies.
If DoorDash's conclusion is correct, only customers who have used the same password on multiple websites should be concerned, but there are statements from some customers saying that they use password managers and different passwords for all online services.
Until the ongoing investigation ends, DoorDash asked their customers to reset their passwords to prevent further accounts being compromised.
Softpedia contacted DoorDash to ask for further details regarding this security incident, but the company did not respond until this article was published.