Cracked Deliveroo accounts are being touted for sale on online forums for £10, BuzzFeed News has learned.
Hackers are advertising accounts they have taken control of, in one case boasting they were "bulletproof" after their contact details were changed so victims were not even aware their accounts had been compromised.
Access was being offered for sale on at least two account-cracking forums last month, while in April last year one hacker claimed they were able to test almost 10,000 email and password combinations – at a rate of over 2,500 a minute – without using any proxies.
Deliveroo said it could not comment on how many accounts had been affected as a “matter of policy”.
“We will say that the numbers are small and that we are constantly monitoring the situation and refining our security measures,” a spokesperson for the food delivery app said.
Deliveroo did however recommend customers ensure their Deliveroo password is “unique and strong”, and to use a “good password manager like 1Password or LastPass".
We revealed last week how some Deliveroo customers said their accounts had been hacked, with fraudulent orders worth hundreds of pounds being made on their bank cards.
If emails confirming the unauthorised orders were not caught before the orders went through, money was taken out of people’s accounts.
Deliveroo said it had no evidence of a security breach in its systems. In emails sent to customers whose accounts were hacked, the company told victims their account password was probably the same as one used on another site that had seen user details published online.
Hackers use email and password combinations from data breaches from other sites to attempt to log in to websites en masse, hoping that people reuse passwords for two different websites, a practice called credential stuffing.
They put these combinations through a bot that can help with credential stuffing attacks by bypassing IP rate limits and other security measures such as CAPTCHA.
In April last year, one hacker claimed on a cracking forum that they were able to test almost 10,000 email and password combinations – at a rate of over 2,500 a minute – without using any proxies.
Their post claimed that despite 9,761 of these attempts failing, no automated Deliveroo security measures were activated to protect accounts.
The picture above, posted by the hacker, also shows that the bot did not have to attempt to defeat CAPTCHA, as indicated by "OCR Rate: NA".
Email addresses and passwords of the four accounts the hacker claimed to have gained access to were then posted on the same forum.
That was 18 months ago, but last month cracked Deliveroo accounts were still being touted for sale on at least two forums, which could explain an apparent spike in people saying their accounts had been hacked in the last few weeks. Deliveroo denied this and told BuzzFeed News that the rate of fraudulent orders was “low and flat”.
Deliveroo said it was aware of “this type of criminal activity” and was taking “extensive action to put a halt to it”, but said it would be inappropriate to comment on specific measures taken, for security reasons.
When asked whether any new security measures had been introduced to prevent credential stuffing attacks since 2015, Deliveroo said in a statement: “Instances of fraud on our systems are extremely rare and we have robust, industry-leading security processes in place to prevent it. We constantly review and enhance these processes and measures and will continue to do so.”
In one instance from last month, a hacker claimed to have changed the contact details of the accounts they accessed, meaning people would not even be informed about orders being made on their cards until the money had disappeared from their accounts.
Where victims still received confirmation of orders they did not make, they suggested hackers were ordering food to addresses they did not live at and collecting it outside.
Attempts to get free food are not always successful. On the forums, one hacker also discussed how they had nearly been caught trying to collect a pizza from another takeaway company that had been bought with a cracked account.
BuzzFeed News asked Deliveroo why it does not require any additional security information to be entered for contact details to be changed, after a customer's card details are entered when the account is first set up.
“Changing of contact or delivery information are significant factors in our fraud detection systems which block suspicious transactions, and are something we take very seriously,” Deliveroo told BuzzFeed News. “We are constantly enhancing these systems and other fraud countermeasures and will continue to do so.”
When first contacted by BuzzFeed News, Deliveroo said there was no evidence its "robust security systems" had been hacked, but it could not comment for security reasons on whether it limited the number of login attempts someone could make before being locked out.
A spokesperson said that because it does not hold customers' card details – payments are processed by a third party – fraudsters were limited to buying food and could not access any other account details.
In one case a customer claimed more than £800 worth of food was ordered from their account before they alerted Deliveroo and their bank.
Deliveroo said customers were always reimbursed and the cost of fraudulent orders was never passed on to restaurants.
Deliveroo previously told BuzzFeed News: “Customer security is incredibly important to us, and instances of fraud on our systems are extremely rare. We have robust processes in place, which we’re always developing and refining to prevent such activity. On the rare occasions fraud does occur, we block the account, reimburse the customer, report it, and work with the authorities to resolve the case.”
Matthew Champion is a deputy world news editor for BuzzFeed News and is based in London.
Contact Matthew Champion at firstname.lastname@example.org.
Got a confidential tip? Submit it here.