Deliveroo customers say their accounts are being hacked, with fraudulent orders worth hundreds of pounds being made on their credit or debit cards.
A string of similar incidents have in recent days been reported on social media of people receiving confirmation emails for food orders they did not make, though Deliveroo denied there had been a spike in cases in recent weeks, saying the rate was low and flat.
If people were unable to catch the emails before the order went through, money was taken out of their accounts, although in most cases they were later reimbursed by Deliveroo.
Victims have also suffered the inconvenience of cancelling bank cards.
Deliveroo insisted there was no evidence of a breach in its “robust security systems". The company told BuzzFeed news that it does not hold customers' card details – payments are processed by a third party – and it seems that while fraudsters could buy food they could not access any other account details, or make other fraudulent purchases elsewhere.
Customers who have contacted Deliveroo after receiving confirmation emails for orders they did not make have been told they had probably used the same password for Deliveroo and other websites that had suffered data breaches, such as Dropbox or LinkedIn.
A spokesperson stressed incidents of hacking were "super rare", representing a tiny proportion of total orders, or a couple of thousand cases a year.
They said the cost of fraudulent orders was never passed on to customers or restaurants.
There has been a number of cases reported in recent days. Graphic designer Macsen Flook said between 3-7 October his account was cleared of around £800 in Deliveroo orders he did not make.
"I have used Deliveroo only once before on my girlfriend's account maybe three months earlier. She got texts from Deliveroo saying thanks for your order during this period and she checked her account but saw nothing suspicious. I didn't think to look at my own," Flook, 29, from Manchester, told us.
"I called Natwest to say I thought my account had been hacked and they refunded me my money and cancelled my card and created a fraud case. I decided to tweet Deliveroo and tell all my mates and work colleagues to be wary. All I got back was a tweet from Deliveroo saying 'have you contacted our help team?' I got my money back and my account card changed so I was just happy it was sorted."
George Woffenden, a commercial sports agent, fell victim on Sunday night, when he was emailed about a £38 order he did not make.
He was told the order would be refunded within 24 hours, but ultimately his bank refunded the money.
Michael Wootten, a 25-year-old student from Bournemouth, said someone ordered KFC to somewhere on the Manchester University campus. "I have only used KFC from Deliveroo so it was probably them trying to make it look less suspicious," he said.
Casey Rain, a 28-year-old musician, fell victim to hackers ordering food from his Deliveroo account back in September. Casey said he was particularly annoyed that the £45 of food ordered to an address in London was all meat, as he is vegan.
"One night I got a text message saying my order had been received. I dismissed it as a wrong number. Then I get a phone call 40 minutes later from the driver saying he was outside. I said 'I haven't made an order, but what city are you in?' He said London. I live in Birmingham! Checked my email and there it was – £40 of food ordered from my account, charged to my credit card. I immediately changed my password to a randomly generated new one. [I] tried to call Deliveroo but it was out of hours," he said.
"The following day I was at work, so I called them on my lunch break. Literally as I'm on the phone with Deliveroo explaining what happened, another order got made. £70 of Nandos to another address in London. Particularly offensive since I'm vegan! Anyway, the lady on the phone cancelled it as it had just happened and refunded me both of the charges, and I requested that she delete my account."
Nick Blakeley, an 29-year-old actor who lives in London, was hacked last week. Like others he initially dismissed a confirmation email about Nando's as a mistake, but then was also informed his order of £45 worth of ice cream in Coventry had gone through.
"[Deliveroo] phoned the ice cream shop and managed to cancel that order. But Nando's delivery (for three people worth around £40) had already been delivered.
"They cancelled my account. And chased the refund from Nando's and have just emailed me five days later saying it looks like it was an email breach and not a Deliveroo security problem."
Jess, a 26-year-old chartered accountant from Cambridge who didn't want to give her surname, received an email on Friday for an order worth £110 in East Dulwich in London. At time of writing she was waiting for a promised refund to clear.
As with others, Deliveroo told her it was not an issue with its internal security controls, but that her account password was the same used on another site that had seen user details published online.
An email from Deliveroo sent to Jess and seen by BuzzFeed News said:
"Deliveroo is unable to locate any indication that access to your account was gained through an external party directly compromising the security of our systems.
"Based on our investigations into this incident Deliveroo has now concluded that the email address connected to this account has been involved in a number of data breaches involving other platforms.
"It is most likely that unauthorised access to your Deliveroo account was gained by an external parties' use of your email address and password."
In another email sent to an affected customer, a Deliveroo customer representative wrote:
“Thank you for getting in touch regarding this issue, I understand how distressing a situation such as this can be and would like to apologise for the amount of time it has taken to get back to you; these issues can take an extended time to investigate thoroughly due to their sensitive nature.”
After listing the unauthorised transactions and explaining that refunds would take between 5 to 10 working days, the email said after investigations, Deliveroo was "unable to locate any indication that access to your account was gained through an external party directly compromising the security of our systems. Deliveroo believes it is highly likely that any access to your account that was unauthorised by you was gained through other means; such as a password that was shared with your Deliveroo account being leaked from another platform.”
In emails seen by BuzzFeed News, victims of the hackers are given an itemised order addressed to the Deliveroo account holder, but sent to a different address and with a different phone number supplied.
In one case, six orders worth over £300 in total were made in the space of several hours, some of which were sent to the same address.
Victims suggested that hackers were ordering food to addresses where they did not live and collecting it outside, but Deliveroo said it could not speculate on how the fraudsters picked up the food.
In a statement supplied to BuzzFeed News, Deliveroo said: "Customer security is incredibly important to us, and instances of fraud on our systems are extremely rare. We have robust processes in place, which we’re always developing and refining to prevent such activity. On the rare occasions fraud does occur, we block the account, reimburse the customer, report it, and work with the authorities to resolve the case."
Matthew Champion is a deputy world news editor for BuzzFeed News and is based in London.
Contact Matthew Champion at email@example.com.
Got a confidential tip? Submit it here.