A number of users of food delivery service Deliveroo have reported fraudulent, bizarre activities on their hacked accounts. According to Forbes, some frauds have even amassed hundreds of dollars in order bills. Deliveroo is a London-based food and drinks delivery firm valued at $2 billion.
London-based PR manager Tessa Bryant reported a $560 bill on her Deliveroo. The order consisted of $187 worth of cakes and ice cream. Besides the food delivery service account, Bryant said that her Netflix and Snapchat accounts were also compromised.
Another user told the LAD Bible that he lost almost $561 from his account.
These transactions occurred because of recent attacks directed to existing Deliveroo accounts. Forbes noted that attackers could have utilized various hacking techniques to obtain Deliveroo credentials.
Hackers possibly used a method called “credential stuffing.” This is a technique where attackers mine compromised passwords from previous data leaks. They then reuse these passwords on every account they encounter.
Aside from credential stuffing, frauds likely used phishing pages to obtain login details. This is a technique where unsuspecting users are tricked into keying in their details into a fraudulent page. Crooks design these pages to look exactly like legitimate ones.
The dark web connection
While criminals obtained credentials by hacking the accounts, fraudsters can also get these login credentials through the dark web. There were reports of hacked Deliveroo accounts being sold on the dark web for as low as $6 to $60.
With such a security concern, Deliveroo assures its customers that there was no security breach on its part. A spokesperson said that the firm “takes online security extremely seriously.” They also said that the company has “robust measures” made to protect their systems and users.
Regarding the fraudulent transactions, the company said that the owner will “receive full refund” in most cases. This is applicable only to charges customers certainly did not make. The firm clarified that transactions which clients do not remember are not covered by this.
The spokesperson also remarked that the firm has security methods in case the customer’s credentials get compromised outside the platform. Meanwhile, they also emphasized that the criminals rely on customers’ use of one the same passwords for multiple accounts.
To avoid the occurrence of such incidents, the spokesperson advised users to come up with different passwords for various online services.