IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Deliveroo blames re-used passwords for spate of account hacks

But security experts say companies must change user behaviour

Fraudsters have hacked Deliveroo customers' accounts to order vast amounts of food via the takeaway app.

Some users of the food delivery platform have had as much as 600 stolen from their accounts in a spate of attacks extending over at least the last month.

Deliveroo has denied that its own systems have been hacked, blaming credential reuse from historic hacks of sites including LinkedIn, and said no personal data has been leaked.

However, customers continue to be hit with the attacks, with IT Pro aware of at least one attack this week in which a user lost 300 from his account.

Another user, Judith MacFayden, told the BBC's Watchdog programme in an investigation being broadcast this evening: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

Twitter user Paul Taylor wrote last month: "#deliveroo just allowed my account to be hacked to the tune of 600 in two days! Some fat hackers out there..."

The takeaway app told IT Pro it has refunded any money that was stolen, but did not address our question of whether it is forcing customers to change passwords to fend off hacks before they happen.

Instead a spokesman said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously.

"On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

But cybersecurity experts warned that companies must make customers aware of basic security measures like changing their passwords, and should monitor credentials revealed in breaches and compare them to those used for their own services.

Cloud security firm Netskope's EMEA VP, Andre Stewart, said: "If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data."

James Romer, EMEA chief security architect at SecureAuth, added: "This laid-back consumer attitude [to passwords] is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don't have to impact the user."

Deliveroo wouldn't confirm what anti-fraud measures it has put in place, but the spokesman said: "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

He added: "We can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity."

UK data watchdog, the Information Commissioner's Office, confirmed it plans to speak to Deliveroo. A spokesperson said: "Businesses are required by law to keep personal information safe and secure and people have a right to trust that will happen. We have received some complaints about Deliveroo and will be speaking to the company."

Picture: Bigstock

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly by downloading this Intel whitepaper.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022