Deliveroo blames re-used passwords for spate of account hacks

But security experts say companies must change user behaviour

Fraudsters have hacked Deliveroo customers' accounts to order vast amounts of food via the takeaway app.

Some users of the food delivery platform have had as much as 600 stolen from their accounts in a spate of attacks extending over at least the last month.

Deliveroo has denied that its own systems have been hacked, blaming credential reuse from historic hacks of sites including LinkedIn, and said no personal data has been leaked.

Advertisement - Article continues below

However, customers continue to be hit with the attacks, with IT Pro aware of at least one attack this week in which a user lost 300 from his account.

Another user, Judith MacFayden, told the BBC's Watchdog programme in an investigation being broadcast this evening: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

Twitter user Paul Taylor wrote last month: "#deliveroo just allowed my account to be hacked to the tune of 600 in two days! Some fat hackers out there..."

The takeaway app told IT Pro it has refunded any money that was stolen, but did not address our question of whether it is forcing customers to change passwords to fend off hacks before they happen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Instead a spokesman said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously.

"On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

But cybersecurity experts warned that companies must make customers aware of basic security measures like changing their passwords, and should monitor credentials revealed in breaches and compare them to those used for their own services.

Cloud security firm Netskope's EMEA VP, Andre Stewart, said: "If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data."

James Romer, EMEA chief security architect at SecureAuth, added: "This laid-back consumer attitude [to passwords] is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don't have to impact the user."

Advertisement - Article continues below

Deliveroo wouldn't confirm what anti-fraud measures it has put in place, but the spokesman said: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

He added: "We can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity."

UK data watchdog, the Information Commissioner's Office, confirmed it plans to speak to Deliveroo. A spokesperson said: "Businesses are required by law to keep personal information safe and secure and people have a right to trust that will happen. We have received some complaints about Deliveroo and will be speaking to the company."

Picture: Bigstock

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly by downloading this Intel whitepaper.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020