SAN LEANDRO, Calif. (KGO) — An East Bay restaurant owner called 7 On Your Side for help investigating a hack into his merchant DoorDash account — after the tech company accidentally paid the fraudulent account. While DoorDash has repeatedly said the hack was not due to a breach of its systems, it started out as a worst-case scenario for any business owner.
Erik Reese is the proud owner of Paradiso, an Italian staple in San Leandro serving up gourmet cuisine for the past 29 years. (link – https://paradisosanleandro.com/)
On any given day his title moves between chef, server, or busser, multi-tasking with little time – especially for problems like this.
“I spent…hours on the phone, they said ‘no problem’,” Reese said describing his calls to DoorDash customer service. “48 hours later… huge, massive problem.”
“All of my information was deleted — and they’re like well… we did nothing wrong.”
Reese says he got a call from a DoorDash representative on July 28 asking about a change of ownership on his merchant account.
“I’m like… change of WHAT! No, there’s no change of ownership,” says Reese. “So I instantly went into my merchant portal on DoorDash… I was locked out of it.”
Skeptical that the person calling might not actually be from DoorDash, he hung up and called the customer service number posted on the company’s website. Reese says that a representative sent him a link to get back into his account — and he was shocked.
“Everything had been changed!” said Reese. “I’m like OK, I’m NOT this person… names, addresses, telephone number, routing number, bank account number… I could not get into anything… no statements, nothing!”
DoorDash confirmed Reese’s account was hacked. Except, the company says it wasn’t their fault — specifying there was no breach of its systems. The tech company says there’s evidence to suggest this all started weeks earlier on July 9 through a phone scam. According to a transcript provided by DoorDash, Reese’s staffer called DoorDash customer service on that date – where he admitted to providing some information to a suspicious caller impersonating DoorDash.
Reese says it wasn’t until the July 28 call that he realized his merchant account was compromised. He says he spent hours on the phone with at least half a dozen different customer service reps to report the problem — adding he was told it would be escalated to a supervisor.
“They said that three times. No supervisor called me,” Reese said.
DoorDash acknowledges Reese’s account had difficulty reaching a supervisor, but says their team also made multiple attempts to follow-up with Paradiso staff and at a certain point escalated their concerns to more senior support.
According to Reese, DoorDash promised his account would be deactivated and the company would not pay out what was owed to him until the problem was resolved.
“They guaranteed me… three different people… ‘Nothing’s going to happen, give us 48 hours to take care of this’,” Reese said.
Reese says 48 hours later, he logged back in and noticed DoorDash accidentally made two payments totaling $944.86 to the fraudster’s account.
“I’m just spinning in circles!” Reese said. “Then I’m on the phone for hours again… ‘You have to resend us all your bank accounts, ID… have to redo everything.'”
Reese says the next day, DoorDash removed the fraudulent account. The tech giant says repayment was processed within 10 days. But Reese says before that happened — he struggled to get his money back. Meanwhile, he had no DoorDash business.
“I’m losing thousands of dollars,” says Reese. “It’s been a week, I don’t have my money back!”
Reese says — that’s when he reached out to 7 On Your Side.
“If I hadn’t called you guys, they wouldn’t have called me, and none of this would’ve been taken care of. So thank you!” says Reese.
DoorDash refunded Reese the money owed to him plus an additional 20% in goodwill. The company shared the following statement, saying in part:
“Despite these activities being the work of a fraudster, DoorDash has worked directly with Paradiso Restaurant to make them whole and ensure they have our full support moving forward. All necessary actions have been taken, including restoring Paradiso’s account access, repayment, reinstating their access to historical financial reports and confirming their payment information is secure. At DoorDash, we take fraud of any kind extremely seriously and remain committed to providing a safe, reliable, and high-quality service for merchants.“
But despite all that, there’s a lingering question: how the hack actually happened.
The tech company holds that “there is no evidence of any breach into DoorDash’s systems.” DoorDash says its fraud team believes both Paradiso’s DoorDash portal login and his work email login were compromised.
We spoke to San Jose State University Engineering Professor Ahmed Banafa, a tech expert that specializes in security data breaches and hacks. His advice?
“Any change just lock it, so no money will transfer,” says Banafa. “After the hackers managed to get into the account of the restaurant… it’s an open field… There is only one line of defense for the account, which is username and password.”
After reviewing DoorDash’s detailed timeline response to the initial breach, Banafa questions why the tech company’s fraud detection system did not flag multiple simultaneous logins from different geographies in real time.
“While technically accurate, this approach may overlook systemic design weaknesses in user access control and fraud prevention responsiveness,” says Banafa. “Worst case scenario, staffer gave the information. What kind of defense do you have of my sensitive information that I trust you with and have in your servers?”
DoorDash says all safeguards were intact – adding that multi-factor authentication (MFA) was activated twice in this case, as designed, when sensitive changes like updating contact emails are attempted.
The tech company also says it has multiple other fraud prevention measures in place, like waiting periods for bank account changes, and documentation requirements for flagged activity.
“I have nothing I can even show you guys,” Reese said.
But according to Reese, all of his merchant account information was wiped. He says he was unable to see account activity nor the amount of money owed. DoorDash told 7 On Your Side it’s a “proactive safeguard” when suspicious activity is flagged, and the company has since restored his account, following requests.
“70% of the businesses targeted by cyberattacks are small businesses….this is the statistic from the Small Business Administration, 70%!” said Banafa, adding most small businesses don’t have strong defense systems, or a limited budget for cyber security. “The important thing for this one is — if hackers have the username or password, they can access the account. They can try it on thousands of them, and they may get in 10% of the time.”
And while DoorDash says its fraud-prevention protocols were functioning properly, it’s an important reminder for any merchant on any platform.
But if you ask Reese… he’s still frustrated.
“They don’t care!” Reese told 7 On Your Side.
Bottom line: if you ever get any suspicious calls asking for information about your account, it’s always best to hang up and call the company directly.
Take a look at more stories and videos by 7 On Your Side.
7OYS’s consumer hotline is a free consumer mediation service for those in the San Francisco Bay Area. We assist individuals with consumer-related issues; we cannot assist on cases between businesses, or cases involving family law, criminal matters, landlord/tenant disputes, labor issues, or medical issues. Please review our FAQ here. As a part of our process in assisting you, it is necessary that we contact the company / agency you are writing about. If you do not wish us to contact them, please let us know right away, as it will affect our ability to work on your case. Due to the high volume of emails we receive, please allow 3-5 business days for a response.
Copyright © 2025 KGO-TV. All Rights Reserved.
Duncan Meyers, founder of BDJOBSTODAY, shares expert career advice, job market insights, and practical tips to help professionals grow and succeed in their careers.
