DoorDash, a food delivery startup, is in the spotlight after a possible data breach.

Multiple customers are reporting that their accounts were hacked and orders were placed by an unknown third party.

A Reddit thread goes into detail about how someone placed $400 worth of fraudulent orders in a single day. In this instance, as with many others, the email address on the account was changed so that the owner of the account was unware of the charges – and was also unable to log in and see what was going on.

When approached for comment by TechCrunch, DoorDash pointed the finger at credential stuffing.

“We do not have any information to suggest that DoorDash has suffered a data breach,” said spokesperson Becky Sosnov in an email to TechCrunch. “To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”

(Credential stuffing is when cyber attackers bombard sites with multiple username/email address and password combinations taken in other data breaches, with the aim of exploiting the fact that many people reuse their credentials across many services.)

However, six account holders told TechCrunch they used a unique password on their DoorDash account, suggesting that their credentials hadn’t been compromised elsewhere.

DoorDash’s current password policy allows for passwords such as 12345678 and ‘password’ – suggesting that it’s possible weak passwords were used.