It's the night of the Superbowl. The Pats O-line is Swiss cheese, Bad Bunny put on a hell of a halftime show, and my DoorDash account was just compromised.
5:46 PM - New login to your DoorDash account
I received an email that I got a new login to my account. My DoorDash password is stored in a password manager, and is not the kind of thing an idiot would have on his luggage. It should be impossible to login to my account without using the password manager (requiring a physical device), so something is up.
'Device Type: Unknown' is not promising
I notice this email an hour after it was sent, but don't totally register "someone is trying to do something nefarious, hurry and fix it". Note, the most scannable text is DoorDash account page. It's a link to where I can fix the problem, but not actually a call to action (CTA).
11 PM - I initiate a password reset
A few hours and five Seahawk field goals later, I return home and investigate. I start the password reset flow, which requires two factor authenticating with my phone, but my phone number has changed on my account.
Not Penny's Boat
It may be reasonable to allow a user to change their phone number without reauthenticating under normal circumstances, but DoorDash literally just identified a suspicious login. Seems like a great time to halt other security oriented changes like shifting phone numbers or emails.
11:05 PM - I call support
I'm able to get support on the phone in about 5 minutes (a pleasant surprise - chalking this up to calling support at 11pm). The support rep seems unsurprised that this has happened, and is unable to change my password back.
I tried to "prove" that I'm the owner of the account by reciting the previous phone number attached to the account, but it doesn't seem to matter. Neither does proving I control the email address attached to the account (something the attacker has not been able to do, as far as I know).
The only path that's offered to me is to delete the account. For DoorDash, this is awfully convenient, as it makes this problem 🪄go away🪄 because the compromised account disappears. For me, it's the opposite, because I lose the ability to do any other digging around. I end up accepting after confirming that no purchases have been made on the account since 2025 (at least 6 weeks ago) — a locked account is no good to me anyways, whether or not it's exposing credit card information.
11:33 PM - DoorDash Account Deactivated
I get another transactional email showing my account is deactivated. My main recourse now is to sit tight in case DoorDash reaches baack out (which seems unlikely).
What's actually happening?
- This could be happening all the time, and it's a coincidence that it happened to me on the highest TV viewership day of the year.
- Something more interesting is afoot, like a password leak or some kind of authentication bug.
If it's the latter, it makes sense to choose the Superbowl as the day to scrape cash or credit card information from a bunch of accounts.
- The Superbowl is likely the busiest day of the year for DoorDash
- Folks are likely to overlook this email, because they are away from home and/or watching the game
It's not yet clear to me what can be gained from logging in. Some credit card information is likely visible from the account page, but it should just be the last four digits of the card. Forgive me if I'm not in a huge rush to go sign up for another DoorDash account to find out. 🙄
Takeaways
Calls to action matter
I searched my inbox for the phrase "Unrecognized device" to see if this has ever happened, and the only email I found was from when I authorized my work laptop for the first time:
'Report suspicious activity' is clear and evokes danger
This is a much better email!
It tells me:
- the IP of the accessing device
- the location
- the operating system and browser
It's much easier to know "was this login me, or not me", compared to Device Type: Unknown.
Seems only fair to point out that this needs to be Okta's bread and butter (as an authentication provider), but "report suspicious activity" speaks much more loudly and is more scannable than "DoorDash account page".
Also important to note - the biggest thing on the page is a large blue button that reads Report Suspicious Activity. If all I absorb is the CTA, I still know "something spooky is happening".
Audit your information continuously
Account creation is a great time to ensure services aren't storing sensitive information. Typically, I would feel comfortable giving credit card info to a food delivery company worth 80 billion dollars, but there's clearly something valuable to be grifted here if DoorDash hasn't figured out how to stop this kind of scam from happening.
The only question is what...