Deliver-who? Hackers sell access to Deliveroo customers’ accounts for as little as £3 with stolen details used to order food shops and restaurants
- Deliveroo customers have their account details sold by hackers who order food
- One Deliveroo customer even said he was hacked five times in a single night
- Fraudsters are ordering whole meals and even posh chocolate using accounts
- Another fraudulent order was for £100 worth of cigarettes from the local Co-op
Hackers are selling access to Deliveroo customers’ accounts for as little as £3 – and the stolen details are then being used to order food from local shops and restaurants before the delivery firm’s customers become aware of the crime.
A Mail on Sunday investigation found hackers are advertising a menu of options on the Dark Web, including a one-off fee and pre-paid ‘credit’ for significant discounts.
One customer told us he was hacked five times in one evening this month and another has been hacked twice this year despite changing her password.
Hackers flood Deliveroo and other sites to test for vulnerable accounts, mainly those where customers have used the same passwords. Once in, they change telephone numbers and addresses to divert deliveries and then switch details back before quitting the account [File photo]
The company was alerted to the problem earlier this year. But last week, daily complaints on social media included more than £200 ordered from East London takeaways from one account and another fraudulent order for £100 worth of cigarettes from the local Co-op.
Fraudsters often order small amounts, even single meals, at a time. One customer said her account had been used to order ‘posh chocolate’.
Jason Hill, lead cyber security researcher at CyberInt, said email addresses, passwords and bank details are stolen through data breaches at other companies and traded on the Dark Web, part of the internet not visible to search engines.
Hackers then flood Deliveroo and other sites to test for vulnerable accounts, mainly those where customers have used the same passwords.
Once in, they change telephone numbers and addresses to divert deliveries and then switch details back before quitting the account.
But criminals leave behind evidence and victims have found their details on digital receipts.
After ‘brief investigations’ last week, Hill was able to find evidence that access to Deliveroo and other delivery firm accounts had been traded on the Dark Web.
One, claiming to be a student and which appeared to be inactive, offered ‘all the food you want’ from Deliveroo for £5.99.
Another advertised Deliveroo ‘credit balances’ between £10 and £99 for 30 per cent of their value.
Deliveroo said last night: ‘We regularly introduce measures to combat fraudsters and to protect customer accounts. Unfortunately, cyber criminals rely on people reusing the same passwords on multiple online services and use data breaches elsewhere to try to gain access to other accounts online.’
One customer told us he was hacked five times in one evening this month and another has been hacked twice this year despite changing her password. The company was alerted to the problem earlier this year [File photo]