Deliveroo blames re-used passwords for spate of account hacks

But security experts say companies must change user behaviour

Fraudsters have hacked Deliveroo customers' accounts to order vast amounts of food via the takeaway app.

Some users of the food delivery platform have had as much as 600 stolen from their accounts in a spate of attacks extending over at least the last month.

Deliveroo has denied that its own systems have been hacked, blaming credential reuse from historic hacks of sites including LinkedIn, and said no personal data has been leaked.

However, customers continue to be hit with the attacks, with IT Pro aware of at least one attack this week in which a user lost 300 from his account.

Advertisement - Article continues below
Advertisement - Article continues below

Another user, Judith MacFayden, told the BBC's Watchdog programme in an investigation being broadcast this evening: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

Twitter user Paul Taylor wrote last month: "#deliveroo just allowed my account to be hacked to the tune of 600 in two days! Some fat hackers out there..."

The takeaway app told IT Pro it has refunded any money that was stolen, but did not address our question of whether it is forcing customers to change passwords to fend off hacks before they happen.

Instead a spokesman said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously.

"On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

But cybersecurity experts warned that companies must make customers aware of basic security measures like changing their passwords, and should monitor credentials revealed in breaches and compare them to those used for their own services.

Advertisement - Article continues below

Cloud security firm Netskope's EMEA VP, Andre Stewart, said: "If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data."

James Romer, EMEA chief security architect at SecureAuth, added: "This laid-back consumer attitude [to passwords] is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don't have to impact the user."

Deliveroo wouldn't confirm what anti-fraud measures it has put in place, but the spokesman said: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

He added: "We can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.

Advertisement - Article continues below

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity."

UK data watchdog, the Information Commissioner's Office, confirmed it plans to speak to Deliveroo. A spokesperson said: "Businesses are required by law to keep personal information safe and secure and people have a right to trust that will happen. We have received some complaints about Deliveroo and will be speaking to the company."

Advertisement - Article continues below

Picture: Bigstock

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly by downloading this Intel whitepaper.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Popular password managers found to have serious flaws

21 Feb 2019

Most Popular


Patch issued for critical Windows bug

11 Dec 2019

Buy IT to grow, not slow, your business

25 Nov 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Microsoft to scrap Security Essentials when Windows 7 reaches end-of-life

13 Dec 2019