Deliveroo blames re-used passwords for spate of account hacks

But security experts say companies must change user behaviour

Fraudsters have hacked Deliveroo customers' accounts to order vast amounts of food via the takeaway app.

Some users of the food delivery platform have had as much as 600 stolen from their accounts in a spate of attacks extending over at least the last month.

Deliveroo has denied that its own systems have been hacked, blaming credential reuse from historic hacks of sites including LinkedIn, and said no personal data has been leaked.

However, customers continue to be hit with the attacks, with IT Pro aware of at least one attack this week in which a user lost 300 from his account.

Advertisement - Article continues below
Advertisement - Article continues below

Another user, Judith MacFayden, told the BBC's Watchdog programme in an investigation being broadcast this evening: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

Twitter user Paul Taylor wrote last month: "#deliveroo just allowed my account to be hacked to the tune of 600 in two days! Some fat hackers out there..."

The takeaway app told IT Pro it has refunded any money that was stolen, but did not address our question of whether it is forcing customers to change passwords to fend off hacks before they happen.

Instead a spokesman said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously.

"On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

But cybersecurity experts warned that companies must make customers aware of basic security measures like changing their passwords, and should monitor credentials revealed in breaches and compare them to those used for their own services.

Advertisement - Article continues below

Cloud security firm Netskope's EMEA VP, Andre Stewart, said: "If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data."

James Romer, EMEA chief security architect at SecureAuth, added: "This laid-back consumer attitude [to passwords] is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don't have to impact the user."

Deliveroo wouldn't confirm what anti-fraud measures it has put in place, but the spokesman said: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

He added: "We can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.

Advertisement - Article continues below

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity."

UK data watchdog, the Information Commissioner's Office, confirmed it plans to speak to Deliveroo. A spokesperson said: "Businesses are required by law to keep personal information safe and secure and people have a right to trust that will happen. We have received some complaints about Deliveroo and will be speaking to the company."

Advertisement - Article continues below

Picture: Bigstock

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly by downloading this Intel whitepaper.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Popular password managers found to have serious flaws

21 Feb 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020