Some Deliveroo and Just Eat customers have reported that their accounts have been used to buy food that they didn’t order, but both companies deny a data breach.
Several Deliveroo customers are reported to have been sent an email from the company stating that the email address linked to their account had been changed, after which it was found that food had been ordered through their account by using credit which an unknown person had obtained by claiming refunds for previous orders.
In the case of Just Eat, some customers also reported having their card details used to purchase food they had not ordered.
Both companies are reported to have denied their systems had been breached and have said the customer details used to fraudulently order the food were obtained from another, third-party source.
Deliveroo is reported as saying cyber-criminals know that people re-use passwords for multiple online services and they can obtain login credentials gained from other breaches on other sites to try to access Deliveroo accounts. This clearly indicates Deliveroo believes password sharing may have been a key factor in this fraud.
Expect to lose money to online fraud
Online fraud is now so prevalent it appears that many people are resigned to the fact they will be directly affected and the message about the dangers of password sharing is not getting through.
For example, the UK National Cyber Security Centre research from April shows that 42% of Brits expect to lose money to online fraud by 2021.
The UK Cyber Survey found also that 70% believe they will likely be a victim of at least one specific type of cyber-crime over the next two years and that 37% of those surveyed agree that losing money or personal details over the internet is unavoidable these days. The survey also found that fewer than half of those questioned used a separate, hard-to-guess password for their main email account.
1234 still most popular and dark net
It’s not just password sharing that’s the problem but also many people still appear to be choosing obvious passwords. For example, the NCSC’s recent study into breached passwords revealed that 123456 featured 23 million times, making it still the most widely used password on breached accounts.
Also, recent Surrey University research showed that cyber-criminals now have their own invisible internet on the so-called ‘dark net’ to allow them to communicate and trade beyond the view of the authorities and that login details obtained from previous breaches are relatively cheap and easy to buy there.
Not the first time for Deliveroo
It should be noted that, even though Deliveroo appears to have put the burden of responsibility elsewhere for these recent attacks, some customers had their accounts hacked and unordered food purchases were made back in 2016. At the time, the company also blamed the problems on passwords that had been stolen from another service in a major data breach, although some security commentators have suggested that Deliveroo should now look at whether its security systems are secure enough.
What does this mean for your business?
If Deliveroo and Just Eat’s claims are to be believed, users of these and many other services may be leaving themselves open to fraud by making bad password choices and/or may be unaware that they are using login credentials that have already been stolen or can be obtained by methods such as credential stuffing. Making good password choices is a simple but important way we can protect ourselves and Action Fraud suggests we should all use strong, unique passwords for online accounts and enable two-factor authentication where it is available.
Ideally, passwords should never be shared between accounts because if one breach has taken place on one site, login details can very quickly be tried on other sites by cyber-criminals. For example, in January a collection of credential stuffing lists (login details taken from other site breaches) containing around 2.7 billion records, including 773 million unique email address and password combinations was discovered being distributed on a hacking forum.
Websites such as https://haveibeenpwned.com/ enable you to check whether your email address and login details have already been stolen in data breaches from other websites and platforms.