It's the night of the Superbowl. The Pats O-line is Swiss cheese, Bad Bunny put on a hell of a halftime show, and my DoorDash account was just compromised.
5:46 PM - New login to your DoorDash account
I received an email that I got a new login to my account. My password is stored in a password manager, and it is not brute forceable. It should be impossible to login to my account without using the password manager (requiring a physical device), so something is up:
'Device Type: Unknown' is not promising
I see this email an hour after it was sent, but don't totally register "someone is trying to do something nefarious, hurry and fix it".
11 PM - I initiate a password reset
A few hours later, I return home and investigate. The only way to reset a password is using two factor authentication (good), but my phone number has changed on my account (bad).
'Not Penny's Boat'
It may be reasonable to allow a user to change their phone number without requiring reauthentication, but the fact that DoorDash just identified a suspicious login, but doesn't freeze account information seems like a preventable problem.
11:05 PM - I call support
I'm able to get support on the phone in about 5 minutes (mildly shocking). The support rep seems unsurprised that this has happened, but is unable to change my password back (even though I can "prove" the acccount is mine by using a password reset link they sent to the account email).
The only path that's offered to me is to delete the account, which seems like a convenient way for DoorDash to make this problem undiagnosable from my end. I end up accepting, after confirming that no purchases have been made on the account since 2025 (at least 6 weeks ago).
11:33 PM - DoorDash Account Deactivated
My account is closed, and I'm told to sit tight and I may hear followup over email (or maybe not).
What's actually happening?
- This could be happening all the time, and it's a coincidence that it happened to me on the highest TV viewership day of the year.
- Something more interesting is afoot (like a password leak or security flaw).
If it's the latter, it makes sense to choose the Superbowl as the day to attack a bunch of accounts.
- The Superbowl is likely the busiest day of the year for DoorDash
- It's also a time that folks are likely to overlook this email (because they are away from home and/or watching the game)
It's not yet clear to me what can be gained from logging in - some credit card informationis likely visible from the account page, but I'm hoping just the last four digits of the account. Forgive me if I'm not in a huge rush to go sign up for another DoorDash account to find out. 🙄
Takeaways
1. Calls to action matter
I searched my inbox for the phrase "Unrecognized device" to see if this has ever happened, and the only email I found was from when I authorized my work laptop for the first time:
'Report suspicious activity' is clear and evokes danger
This is a much better email!
It tells me:
- the IP of the accessing device
- the location
- the operating system and browser
It's much easier to know "was this login me, or not me", compared to Device Type: Unknown.
Seems only fair to point out that this needs to be Okta's bread and butter (as an authentication provider), but "report suspicious activity" speaks much more loudly and is more scannable than "DoorDash account page".
2. Audit your information continuously
Account creation is a great time to ensure services aren't storing sensitive information. Typically, I would feel comfortable giving credit card info to a food delivery company worth $80 billion US, but there's clearly something valuable to be grifted if DoorDash hasn't figured out how to stop this kind of scam from happening.