For almost a month, the customers of the online food delivery company, DoorDash, flooded social media platforms with reports of account hacks. While the company didn’t state anything previously, they now claim that the DoorDash customers possibly suffered a credential stuffing attack that led to them losing control of their accounts or being subject to fraudulent purchases.
DoorDash Customers Targeted With Credential Stuffing Attack
DoorDash customers have put up a multitude of complaining tweets and Reddit threads in one month indicating account hacks. The chaos kept growing until the recent reports revealed that the DoorDash customers possibly suffered credential stuffing attack.
As reported, the complaints regarding DoorDash account hacks by the customers kept growing on social media for about a month. All the complaints reported almost similar incidents. In almost all cases, the hackers changed the account email addresses, and/or, made purchases with users’ credit cards.
Although the happenings seemingly hinted towards a cyber attack at the firm level DoorDash confirmed in a blog post that the users suffered credential stuffing attack.
“Our fraud detection and security teams are monitoring this situation closely and are continuing to investigate. Based on our initial investigation, we believe that DoorDash consumer accounts were accessed via credential stuffing.”
Regarding the extent of the impact of this cyber attack, the firm claims it to affect a “small subset” only.
“We have been notified by a small subset of DoorDash users (a fraction of one percent) that unauthorized orders may have been placed on their accounts.”
Customers Urged To Reset Passwords
Credential stuffing attacks involve exploiting user account credentials obtained from some other websites. These attacks particularly affect those users who have the same login credentials, especially same account passwords, across multiple websites. Suspecting this as the cause of the recent wave of DoorDash hacks, the company advises users to reset their passwords.
Some time ago, Jersey Mike’s also warned their customers to reset passwords after they suspected cyber attack via a third party. Like DoorDash, they also claimed that their website remained safe from any direct cyber attack. Regarding the DoorDash hacks, the investigations are still underway. Therefore, we hope to receive further details about the incident in the upcoming days. We shall keep our readers updated in this case.
Let us know your thoughts in the comments section.