DoorDash said that the likely culprit was credential stuffing, taking lists of stolen usernames and passwords and try them on other sites...