Customers of food delivery service Deliveroo have had their accounts compromised and were charged hundreds of pounds for food they did not order, an investigation by BBC One's Watchdog has found. Hackers allegedly used stolen passwords swiped in earlier data breaches on other firms to hack into Deliveroo accounts, according to the company.
The London-based food delivery network was launched in 2013 and has since expanded its popular service to more than 100 cities across 12 countries.
The Watchdog investigation reported some users noticed they were being billed for food and drink orders they never placed that were delivered to various addresses around the country. Deliveroo users can save their payment information to the app to allow for a smoother ordering process.
While this payment information is not fully visible at the time of placing a new order, it just requires a simple tap to confirm it as your payment method, giving any malicious hacker a loophole to exploit to order food and bill the user's compromised account.
"I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick," user Judith MacFayden from Reading told Watchdog. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."
One Deliveroo user from Manchester told Watchdog that she was charged £113.70 for chicken, waffles and chips that she never ordered. Another user said he was billed £98 for a TGI Friday delivery that was then delivered to a location 86 miles away from his home.
BBC reports that all the victims' money was eventually refunded.
Many annoyed users also took to social media claiming that their own Deliveroo accounts were hacked, some of whom said their accounts were charged multiple times over days. One victim reported that she had to cancel her bank card to avoid further charges to her account.
"Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously," Deliveroo said in a statement to BBC. "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers.
These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."
Technology journalist and expert David McClelland told Watchdog that the company could do more to help prevent these fraudulent purchases.
"When we buy things online, the more hoops we have to jump through to complete that purchase, the more likely we are to go away and do something else instead," McClelland said. "Deliveroo realises that - so tries to remove as many of the hoops as possible. However, some of the hoops that Deliveroo are removing are there specifically for security purposes. So while it may be making it easier for us to place orders, it is also making it easier for us to be defrauded."
He added that asking users to provide their bank security code or checking addresses while placing a new order could help prevent unauthorised purchases and flag any suspicious activity on their accounts.