Food delivery app DoorDash have been swarmed by angry customers who claim their accounts have been hacked. These users were billed for food they never ordered. These hacks are a PR nightmare for the food delivery startup.

Several people had tweeted to DoorDash to gain their attention but to little or no avail. In many users’ cases, the hackers had changed their email addresses.
This meant many customers lost their access to the app and had to contact customer service to regain control.

DoorDash hasn’t responded to many users’ complaints. The few users who got a response didn’t get their issues resolved. Many users even took to Reddit to voice their concerns.
4 customers who tweeted their accounts had been hacked, told Techcrunch that they used their DoorDash passwords for other websites as well. Three people were unsure if they used the same password for other sites as well.

Out of the dozen or so people interviewed, 6 said that they used password specifically for DoorDash. 3 users had used a password generator to create a strong and unique password.

What is even more shocking is, the fact that a startup valued at $4 billion had such a huge lapse in security.

The food delivery startup said there was no data breach on their servers. They explained that the users could have stolen a list of usernames and passwords and try them on different platforms, such as Instagram, Twitter, Facebook etc.

This process is known as credential stuffing. DoorDash could not respond when they were asked about the accounts with unique passwords being hacked.

Becky Sosonov, a spokesperson for DoorDash said, “We do not have any information to suggest that DoorDash has suffered a data breach. To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”

Some users either used the smartphone app or accessed DoorDash through its website, while some used both. Most users only realized about the scam when their credit card companies called them about possible fraud.

Many users were unsurprisingly furious with the company. Their main concern was how seemingly easy it was for the hackers to get users’ login details. They were also angry with the company’s lack of interest in the matter.

One user said, “Simply makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time.”

DoorDash says that it is not to be blamed for the hacks, rather its credential stuffing is the culprit in this whole matter.

Also Read: Lime causes another death this morning

But when questioned about their weak password input algorithm, they did not have a clear answer. The startup’s current password policy allows only 8 characters minimum, and weak passwords such as “12345678” and “password” can be used.

Many of these flaws can be overcome by just implementing tighter password policies such as two-factor authentication.

Stay tuned for more updates!

Avatar for Fazeel Ashraf

IT graduate from Pakistan’s National University of Science and Technology with a passion for writing. When not reading or writing, I can be found listening to rock and metal or playing some classic jams on my electric guitar. I’m also a big fan of horror movies.

Join the Conversation


  1. My doordash account was also hacked a couple months ago! I got a email from doordash stated that my email was changed which I did not do. So when I called they couldn’t find my account I was and still am freaking out about it because this person named Alan knows where I live! I had a number of cards saved that I couldn’t remember which one do one by one I replaced them, I had to go through every website that have passwords to and change them and get a new email, What a freakin headache!!! It was my genius idea to look up that email that replaced mine to find my account which worked and all they did was deactivate it and apologize!! There’s still someone out there with my full name, address, phone number!!01 I have children too how am I to feel safe???? Thankfully they only changed the email and the name on the account at least as far as I know. So I wanted to warn people to stay away from doordash!!!! My hacker was Alan R

    1. Legit concerns, I really hope DoorDash comes up with a better security plan considering how vulnerable the entire online arena has become to hacking attacks.

    2. That’s really sad. Thanks for warning the potential users. It really becomes frustrating when somebody lands into your private life without your permission and that’s what hacker actually does.
      I hope, you will not face the same situation again.

  2. My account was just hacked last night too! They didnt change my email but changed my phone number and of course address. They reversed the charges and said an investigator will be contacting me but after reading this i have doubts that they really will do that. I loved having doordash but this makes me want to get rid of it altogether, especially since the site does not have an option for dumping my card info.

  3. My account was hacked last night as well. Changed password and email tied to the account. Of course – first thing customer support asks “What’s the email on the account?….” then says “Hmm we can’t seem to find an account under that email.” YES. It was HACKED and the email was changed. Frustrating as hell. Still no resolution. It was supposedly “escalated” to a team that’s investigating. At the very least – my credit card has awesome fraud security.

  4. Just happened to me today. DoorDash and my bank were quick to help. This was a relief. Within 2 hours everything was fixed. # I called: (855) – 973 – 1040

    But this is for sure on door dash’s side. The login email I used is my work email and is the ONLY app/website I have ever used my work emai for; as I commonly order food for coworkers that work late. My passwords, while similar, are also unique to every app and website. These passwords are very complicated.

Leave a comment

Your email address will not be published. Required fields are marked *