Food delivery app DoorDash have been swarmed by angry customers who claim their accounts have been hacked. These users were billed for food they never ordered. These hacks are a PR nightmare for the food delivery startup.
Several people had tweeted to DoorDash to gain their attention but to little or no avail. In many users’ cases, the hackers had changed their email addresses.
This meant many customers lost their access to the app and had to contact customer service to regain control.
DoorDash hasn’t responded to many users’ complaints. The few users who got a response didn’t get their issues resolved. Many users even took to Reddit to voice their concerns.
4 customers who tweeted their accounts had been hacked, told Techcrunch that they used their DoorDash passwords for other websites as well. Three people were unsure if they used the same password for other sites as well.
Out of the dozen or so people interviewed, 6 said that they used password specifically for DoorDash. 3 users had used a password generator to create a strong and unique password.
What is even more shocking is, the fact that a startup valued at $4 billion had such a huge lapse in security.
The food delivery startup said there was no data breach on their servers. They explained that the users could have stolen a list of usernames and passwords and try them on different platforms, such as Instagram, Twitter, Facebook etc.
This process is known as credential stuffing. DoorDash could not respond when they were asked about the accounts with unique passwords being hacked.
Becky Sosonov, a spokesperson for DoorDash said, “We do not have any information to suggest that DoorDash has suffered a data breach. To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”
Some users either used the smartphone app or accessed DoorDash through its website, while some used both. Most users only realized about the scam when their credit card companies called them about possible fraud.
Many users were unsurprisingly furious with the company. Their main concern was how seemingly easy it was for the hackers to get users’ login details. They were also angry with the company’s lack of interest in the matter.
One user said, “Simply makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time.”
DoorDash says that it is not to be blamed for the hacks, rather its credential stuffing is the culprit in this whole matter.
But when questioned about their weak password input algorithm, they did not have a clear answer. The startup’s current password policy allows only 8 characters minimum, and weak passwords such as “12345678” and “password” can be used.
Many of these flaws can be overcome by just implementing tighter password policies such as two-factor authentication.
Stay tuned for more updates!