DoorDash understands the importance of the security of our community, and we want to provide an update on the steps we’ve taken to investigate and respond to reports that a small subset of DoorDash users have experienced fraudulent activity on their accounts.
First, we conducted an internal review and retained a third-party data forensic firm to investigate reports of fraudulent activity. Our investigation concluded–consistent with our previous reporting–that the reports of account fraud are attributable to credential stuffing. This type of fraud occurs when attackers try bulk sets of user email addresses and passwords, acquired from previous data incidents affecting other companies, against the DoorDash login portal until they find account combinations that work.
Second, we have implemented a number of measures to enhance the security of our platform and combat fraud. These measures include:
- We blocked suspicious IP addresses that we believe may be linked to attempts to take over consumer accounts.
- We conducted an extensive analysis to proactively identify accounts we believe had been subject to an account takeover. We have taken a variety of mitigation measures designed to prevent those accounts from being used to make fraudulent purchases through our platform.
- We have integrated with Have I Been Pwned, a service used by both the Australian and UK governments, to help us detect the use of passwords that have been compromised in past security incidents experienced by other websites.
- We are deepening our integration with an industry-leading software product to enhance our ability to detect fraud before it happens.
- We have implemented two-factor authentication as an additional security measure. Changes to a user’s phone number, username, or password will automatically prompt two-factor authentication, as will certain order types that are frequently associated with fraud. Users will receive a verification code via SMS or email to verify their account identity.
Third, we’ve taken steps to help provide better, faster assistance to customers who report fraudulent activity on their account. We are working hard to help keep your account safe from fraud, and we will continue to take measures to enhance the security of our platform.
___________________________________________________________________
DoorDash is committed to the security of our community and combating fraudulent activity on our platform. We have been notified by a small subset of DoorDash users (a fraction of one percent) that unauthorized orders may have been placed on their accounts.
Our fraud detection and security teams are monitoring this situation closely and are continuing to investigate. Based on our initial investigation, we believe that DoorDash consumer accounts were accessed via credential stuffing. This type of fraud occurs when passwords acquired from previous data incidents affecting other companies are used to login to accounts on our platform. We have implemented a variety of fraud detection capabilities, and we will continue to take measures to enhance the security of our platform.
While our investigation continues, as a precautionary measure, we encourage users to reset their passwords by clicking here. If you need help resetting your password, please contact DoorDash Support at password-assistance@doordash.com.
Protecting our community — Update 12.14 was originally published in DoorDash on Medium, where people are continuing the conversation by highlighting and responding to this story.