Deliveroo suffers credential stuffing attack

Deliveroo customers have reported that their accounts have been accessed, delivery addresses added and orders made without their knowledge or consent.

Scammers are reportedly ordering huge quantities of food and drink to seemingly random addresses, using bank details linked to the victim’s account.

Some account holders report receiving emails to say Deliveroo account details had been changed – specifically email addresses and phone numbers, rendering them unable to access their accounts.

One media outlet has reported that as many as 40 people have experienced this seemingly fraudulent activity.

Hackers appear to be using credential stuffing, a technique which involves hackers obtaining usernames and passwords from data breaches and testing the same details against a range of online accounts.

Credential stuffing takes advantage of people reusing username and password combinations across different accounts. By fraudulently gaining valid combinations for one site, and successfully using them on other sites an attacker can access legitimate accounts. The primary motivation is financial, but it can lead to identity theft.

Deliveroo is now introducing a “dedicated team” to handle complaints of accounts being compromised in this way.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: