#58: DoorDash Breach, Amazon vs. Perplexity, Ticketmaster Shift to Face Value Resale
As we head into a quieter holiday week, the fraud problem is anything but slowing down. This week’s stories show how social engineering, agentic AI, and marketplace dynamics are reshaping fraud risk across sectors. The more automation and scale platforms build, the more surface area fraudsters get to exploit.
Let’s get into it.
NATE'S TAKE - NOVEMBER 25, 2025
Top Three This Week
- DoorDash’s Third Breach in Six Years Underscores a Growing Pattern
- Amazon vs. Perplexity: The Coming Identity War Between Merchants and AI Agents
- Ticketmaster, Olivia Dean, and the Shift to Face Value Resale
1. DoorDash’s Third Breach in Six Years Underscores a Growing Pattern
DoorDash disclosed its third major data breach since 2019 after an employee fell victim to a social engineering scam that exposed customer names, phone numbers, email addresses, and physical addresses. While no sensitive financial or government ID data was accessed, it’s still the exact kind of high‑confidence data used for ATO, targeted phishing, and refund fraud.
This isn’t about one compromised employee. When a platform handles millions of daily transactions and stores granular delivery metadata, every breach compounds. Reused data, outdated verification flows, and weak internal controls create the perfect environment for fraud patterns that build on each other over time.
Social engineering isn’t just an HR training issue, it’s an identity governance issue. Every employee interaction becomes part of your attack surface, and every dataset leaked becomes an invisible accelerant for future fraud.
2. Amazon vs. Perplexity: The Coming Identity War Between Merchants and AI Agents
Amazon has issued a cease‑and‑desist to Perplexity demanding it stop using its agentic browser, Comet, to make purchases on Amazon without proper disclosure or authorization. Amazon claims the agent violates its terms, degrades the shopping experience, and introduces privacy vulnerabilities.
This is more than a contractual dispute. It’s a preview of the next major fraud challenge for commerce.
Agentic shopping tools route clicks, sessions, and purchases through headless browsers that look nothing like humans. They break the signals merchants rely on today: device fingerprints, behavioral cues, session integrity, identity continuity. In other words, traditional fraud controls were never designed to distinguish legitimate third‑party agents from malicious bots.
Amazon’s statement essentially outlines the challenge for the coming era: third‑party agents may or may not be transparent, permissioned, or respect platform policies. The merchants who can successfully navigate the balance between risk and growing the business they do with AI agents will win the next decade. While Know Your Agent (KYA) schemes are in their early stages and few enforcement mechanisms exist, merchants have to find ways to adjust to the reality that they're losing control of the online consumer experience to an agent-driven future.
Fraud fighters: tracking “bot traffic” as a single category is about to become obsolete. Some bots are malicious. Some will be your customers. Without agent detection, authentication, authorization, and enforcement frameworks, merchants will struggle to tell the difference.
3. Ticketmaster, Olivia Dean, and the Shift to Face Value Resale
After singer Olivia Dean publicly criticized Ticketmaster and promoters for enabling inflated resale prices on her tour, Ticketmaster capped resale tickets on its platform at face value. The move, while rare, is part of a growing shift toward artist-controlled pricing.
Dean is now joined by artists like Hayley Williams and Hilary Duff who have opted into Ticketmaster’s Face Value Exchange, which prevents scalping and keeps resale prices fan-friendly. However, the impact is limited if other marketplaces – like StubHub and SeatGeek – don’t follow suit.
That’s why broader regulation is gaining steam. The UK government just announced a nationwide ban on ticket resale above face value, following an open letter signed by Dua Lipa, Coldplay, and Sam Fender. The new law also targets hidden fees and promises to save fans an estimated £112 million (~$147M USD) per year.
Capping resale prices limits the profit potential that attracts bots in the first place. Most scalper bots exist to buy up inventory at face value and flip it for a profit. If the resale price is locked, the incentive for automation-driven ticket hoarding drops sharply.
With artists pushing for control and governments tightening rules, the era of resale markups may finally be coming to an end.
===
That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
