DoorDash said that the likely culprit was credential stuffing, taking lists of stolen usernames and passwords and try them on other sites that may use the same credentials.