Attackers Reused Passwords to Place Fraudulent Deliveroo Food Orders

November 23, 2016 3:16 pm David Bisson

Attackers placed fraudulent orders on the food app Deliveroo by reusing customers’ passwords stolen in other breaches to gain access to their accounts.

Created in 2013, Deliveroo allows members to search for all nearby locations that offer certain kinds of food. Customers can then place an order at any of those establishments via the service’s mobile app. They just need to make sure they’re signed into their accounts first.

Given that requirement, a few members were surprised to find orders on their accounts that they had never placed.

User Judith MacFayden, from Reading, said she received a notification about one such fraudulent order. As quoted by BBC News:

“I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”

Another user named Margaret Warner said she was charged £113.70 for chicken, waffles, and chips that she did not order, while Steve Tappin saw a charge of £98 from a TGI Friday located 86 miles away.

Deliveroo refunded all the customers’ money and confirmed that attackers did not make off with anyone’s financial information.

The food order app went on to explain that the incident resulted not from an internal security incident but from members’ poor password security practices:

“Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem, we take it very seriously. We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach.”

Attackers could have stolen people’s passwords from the mega-breaches at LinkedInTumblrYahoo, or several other web services. In fact, they still could. It’s therefore up to organizations to help educate their workforce about password security best practices including the use of two-step verification (2SV). They can do so with the help of third-party security awareness training software.

Does this sound of interest to your enterprise?

If so, contact MetaCompliance and learn how its staff awareness solutions can prevent fraudulent orders from showing up on your corporate accounts.