How not to steal

My DoorDash account got hackedToday felt like a long day. I’ve been going to sleep and waking up relatively late lately, but I had to get up before 9 AM PST this morning for class. My sleep tracker says I got less than 6 hours of restful sleep last night, which is not very good considering I have an overactive thyroid and need a lot of sleep. Classes have also been difficult lately, because sitting in a teleconference for remote learning during the pan­dem­ic doesn’t really engage my mind as much as traditional classroom settings do, so it’s a constant strug­gle not to fall asleep the entire time.

At 4 PM, my class finally wrapped up. I spent about an hour catching up on some work tasks that I missed during the day, then laid down in bed to watch some videos and relax.

After I finished petting the cats and getting comfortable in bed, I got an email notification from DoorDash. Apparently my account had a new log-in from an unrecognized device. I definitely didn’t just log into DoorDash, and I would never commit such as sin as to use a device with iOS, so I came to the conclusion that my account got hacked. I got out of bed and logged into my computer.

My credit card protects me against unauthorized charges, but that claim process is a hassle and I wanted to stop the theft from happening before the suspect had an opportunity to follow through. As quickly as possible, I changed my password and removed my saved credit card details from my account. Not only did this stop the suspect from completing the checkout process, but it would’ve also thrown an error, be­cause I have a free DashPass subscription courtesy of the Chase Sapphire Reserve that requires a CSR credit card number to be tied to the account. By removing my card details, I changed my account’s eli­gi­bil­i­ty status on particular promotions, and DoorDash would refresh the storefront and reapply any relevant delivery and service fees.

That worked, because the purchase never went through. However, during the few minutes it took me to do this, the suspect did a little work on my account.

Once I was done locking down my account, I saw a few things pop up that weren’t there before.

My DoorDash account got hacked

In addition to informing me that the suspect was interested in purchasing 30 traditional wings from Buffalo Wild Wings, they were also gracious enough to provide me with their address and phone number.

I looked up their address on Google Maps and saw that it pointed to a dormitory on a university campus. I looked up some local law enforcement agen­cies that had jurisdiction over the area and found a university police department, city police department, and county sheriff. I pulled up the in­for­ma­tion of the university police department and gave them a call to let them know what happened.

An officer picked up the phone, listened to my story, and passed my call onto someone else, as he was unsure how to proceed. A different officer came on the line, listened to my story, and said that this is the first time something of this nature had been reported to them. The officer ran a records check for the phone number in the description of the DoorDash delivery address, and it came back as a match to a current student.

I let the officer know that I was not interested in pressing charges—this is literally a hungry college kid who made a mistake, and I don’t want to damage their reputation and future by putting them through the criminal justice system. (Also, even if this did go to court, unless the student confessed, it would be extremely difficult to prove this beyond a reasonable doubt, as the defense could claim that an unrelated third party hacked my account and at­tempted to send food to this student without their knowledge or consent.)

However, I did say that I would like the police to at least speak with the student as a preventative measure to discourage the student from doing some­thing like this again, if it was indeed the student. I also informed them that this could end up being a liability issue for the university because, if this student was on dormitory Wi-Fi, they were technically using university technology systems to commit a cybercrime across state lines, making it a federal offense.

The officer noted everything and said that he would go with my wishes and just process the student through the university system instead of going through the court system. I followed up via email with the officer and provided him with the evidence above (unedited and uncensored, of course) for their records. Due to privacy reasons, I imagine I won’t ever find out what actually happened, but hopefully me doing this helped set a student on a better path to a brighter future, and protected a potential future different victim from credit card fraud.

So if you ever had plans to hack someone’s DoorDash account and get yourself some free food, I highly discourage you from doing so… not only because you shouldn’t steal, but also because providing your address and phone number to your victim generally isn’t the best idea.