Deliveroo blames re-used passwords for spate of account hacks

But security experts say companies must change user behaviour

Fraudsters have hacked Deliveroo customers' accounts to order vast amounts of food via the takeaway app.

Some users of the food delivery platform have had as much as 600 stolen from their accounts in a spate of attacks extending over at least the last month.

Deliveroo has denied that its own systems have been hacked, blaming credential reuse from historic hacks of sites including LinkedIn, and said no personal data has been leaked.

Advertisement - Article continues below

However, customers continue to be hit with the attacks, with IT Pro aware of at least one attack this week in which a user lost 300 from his account.

Another user, Judith MacFayden, told the BBC's Watchdog programme in an investigation being broadcast this evening: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

Twitter user Paul Taylor wrote last month: "#deliveroo just allowed my account to be hacked to the tune of 600 in two days! Some fat hackers out there..."

The takeaway app told IT Pro it has refunded any money that was stolen, but did not address our question of whether it is forcing customers to change passwords to fend off hacks before they happen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Instead a spokesman said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously.

"On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

But cybersecurity experts warned that companies must make customers aware of basic security measures like changing their passwords, and should monitor credentials revealed in breaches and compare them to those used for their own services.

Cloud security firm Netskope's EMEA VP, Andre Stewart, said: "If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data."

James Romer, EMEA chief security architect at SecureAuth, added: "This laid-back consumer attitude [to passwords] is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don't have to impact the user."

Advertisement - Article continues below

Deliveroo wouldn't confirm what anti-fraud measures it has put in place, but the spokesman said: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

He added: "We can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity."

UK data watchdog, the Information Commissioner's Office, confirmed it plans to speak to Deliveroo. A spokesperson said: "Businesses are required by law to keep personal information safe and secure and people have a right to trust that will happen. We have received some complaints about Deliveroo and will be speaking to the company."

Picture: Bigstock

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly by downloading this Intel whitepaper.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020