Food delivery startup DoorDash customer's accounts have been hacked.
Dozens of people have tweeted that their accounts had been improperly accessed and had fraudulent food deliveries charged to their account.
The hackers changed their email addresses.
There has been no data breach and that the likely culprit was credential stuffing, in which hackers take lists of stolen usernames and passwords and try them on other sites that may use the same credentials.
Source: https://techcrunch.com/2018/09/25/doordash-customers-say-their-accounts-have-been-hacked/
TPRM report: https://scoringcyber.rankiteo.com/company/doordash
"id": "doo232301022",
"linkid": "doordash",
"type": "Breach",
"date": "09/2018",
"severity": "50",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Dozens',
'industry': 'Food Delivery',
'name': 'DoorDash',
'type': 'Company'}],
'attack_vector': 'Credential Stuffing',
'description': 'Dozens of DoorDash customers reported unauthorized access to '
'their accounts resulting in fraudulent food deliveries and '
'email address changes. The likely cause is credential '
'stuffing using stolen usernames and passwords from other '
'sites.',
'impact': {'customer_complaints': ['Unauthorized account access',
'Fraudulent charges']},
'motivation': ['Fraud', 'Financial Gain'],
'post_incident_analysis': {'root_causes': 'Credential Stuffing'},
'recommendations': ['Use unique passwords for different accounts',
'Enable two-factor authentication'],
'title': 'DoorDash Account Hack',
'type': 'Account Compromise',
'vulnerability_exploited': 'Reused Usernames and Passwords'}