Users said that amounts between GBP 100 and GBP 200 have been spent on burgers delivered to several addresses, with one client saying that it was charged GBP 98 for a delivery from TGI Friday which was 86 miles away from his home.
The breached company said the hacks were carried out using passwords stolen in previous data breaches on other companies. Still, Deliveroo denied that any financial information had been stolen.
Security experts warn that the company must improve security. James Romer Chief Security Architect EMEA at SecureAuth Corporation commented: “This is a perfect example of why people need to be using different password/username credentials for different sites. Using the same combination is the equivalent of a skeleton key to your online life. It makes it too easy for bad actors to gain entry to more and more information. This is of monumental importance, particularly on sites like Deliveroo where customers save their card details for convenience, leaving them left with holes in their bank accounts too.
Furthermore, this laid-back consumer attitude is no longer acceptable and companies also need to be doing more to add extra layers of authentication to log in processes, which don’t have to impact the user. Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts. This also removes the hoops to purchase without impacting the user experience.”
Deliveroo was launched in 2013 as a takeaway app, offering to find all nearby locations for users wanting to order food. It rapidly expanded to dozens of towns and cities across the UK.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now