The food delivery startup DoorDash has got dozens of complaints from consumers who say their accounts have been hacked.
Lots of people have tweeted at @DoorDash with complaints that their accounts had been inappropriately accessed and had false food deliveries charged to their account.
In many cases, the hackers replaced their email addresses so that the user could not recover access to their account until they contacted customer services.
However, many said they didn’t get any response from DoorDash, or if they did, there was no solution.
Many Reddit threads also lead to similar complaints.
DoorDash is presently a $4 billion company after raising $250 million last month and operates in more than 1,000 cities across the U.S. and Canada.
DoorDash’s Take on the Incident
DoorDash declared that there has been no data breach and that the possible culprit was credential stuffing.
This is where the hackers take records of stolen usernames and passwords and use them on other sites that use the same credentials.
Although, when asked, DoorDash could not describe how six accounts with unique passwords were breached.
A spokesperson mentioned that they don’t have any information to imply that DoorDash has suffered a data breach.
On the contrary, based on the information accessible to us, including internal investigations, they have concluded that the fraudulent activity stated by consumers has resulted from credential stuffing.
If, as DoorDash declares, credential stuffing is the culprit, we asked if the company would change its password policy, which presently only requires a minimum of eight characters.
We found out in our testing that a new user could enter “password” or “12345678” as their password which has for years rated in the top five worst passwords.
The company would also not say if it intends to roll out countermeasures to block credential stuffing, like two-factor authentication.
How Were The Victims Targeted?
The victims the company conversed with said they used the app or the website, or in some cases both.
Some were just informed when their credit cards communicated them about possible fraud.
One of the victims had said that it makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time.
SEE ALSO: DJI Launched New Industrial Drones
For more updates and the latest tech news, keep reading iTMunch.