Food delivery services have become quite popular. Not that we never before appreciated having a meal arrive right at our door, but before that luxury was generally only afforded to things like pizza.

Now, with the growth of services that will bring food and drinks from many non-pizza establishments, it makes sense that business is booming. But like everything that happens online, there is always the potential for hacks and breaches.

It happens often in other areas of the internet, and now it looks like the issue has reached at least one popular food delivery service. Because according to some customers of Door Dash, they are victims of of a hack.

Is DoorDash doing anything about it?

The issue was discovered as dozens of people tweeted to DoorDash with complaints of their accounts being improperly accessed, with fraudulent food deliveries also being charged to their account.

According to the complaints, the hackers have at times changed the email addresses associated with the accounts, making it so that the actual user could not regain access to it without contacting customer service. At issue is the fact that apparently even when people reached out, DoorDash either didn’t respond or was unable to fix the problem.

Tech Crunch contacted some of the affected customers, and four of them said they had used their DoorDash password on a different site. Three told them they were not sure if they had used their password elsewhere.

That would seem to infer this might be more user error than tech problem, except that six people the site got in touch with said their password was unique only to DoorDash. Three, in fact, confirmed they used a password generator to come up with theirs.

As for whether or not problems stemmed from the DoorDash website or app, some used one or the other or even both. Yet, it took being alerted to possible fraud by their credit card companies before some even realized something was amiss.

So what’s the problem, then?

According to DoorDash, there has been no data breach or leak, and instead this seems to be the result of a tactic known as “credential stuffing.” Essentially, that involves hackers taking lists of stolen usernames and passwords and then trying them on various other sites in hopes the same credentials were being used.

However, DoorDash had no explanation for how accounts with unique passwords may have been breached, which means this story may not be over just yet. But if DoorDash wants to help make sure this can not happen, introducing two-factor authentication would help.

But according to Tech Crunch, DoorDash gave no indication of whether or not that kind of change is in the works.