If you have a Deliveroo account, then keep an eye on it vigilantly. Sooner or later, you might receive a bill for something you never ordered. That is something happening (or has happened) to most customers. Allegedly, many customers have received wrong bills after Deliveroo accounts got hacked. The accounts are also for sale on the dark web for a mere $6!
Deliveroo Accounts Hacked
As discovered recently, numerous Deliveroo accounts were hacked, causing severe trouble to the customers. According to Forbes, these hacked accounts are available for sale on the dark web too.
The incident caught the attention of Forbes upon hearing of numerous complaints from Deliveroo customers. As stated in their blog post, the attack also affected some Forbes staff members.
Forbes reported that the accounts are available for sale on the dark web.
Emily Wilson, from Terbium Labs, found a single account on sale on a dark Web market called Empire, costing just $5.99.
The extent of the attack is evident from the increasing number of complaints. Many customers even posted about this on Twitter.
These recent tweets suffice to realize that the scam still goes on and can hit any Deliveroo customer any time.
Someone in London actual hacked my Deliveroo account and tried to order a family bucket of chicken GROW UP! I KNOW WHERE U LIVE! pic.twitter.com/CtI24HEypb
— jordan✨ (@Jordanaan) July 24, 2019
@Deliveroo I messaged you yesterday and now I have another fraud on my account! Sort this out now please! I will now need to cancel another card. The 4th one this year! pic.twitter.com/K8s4IfAntc
— Francesca Ferrari-Jhutty (@Frankie_Ferrari) July 24, 2019
Deliveroo Says Their Systems Were Unaffected
It is yet unclear as to how the hackers gained access to customers’ accounts. It could either be phishing. Or, some third-party hack might have enabled the hackers to reuse login credentials.
According to Forbes, Wilson also spotted a Deliveroo phishing site, regarding which, the seller makes boastful claims to be the most successful for stealing PayPal account or bank details. Forbes also reported about the existence of an ‘account checker’ service, using which, one can check for working login credentials.
Until now, there seems no public disclosure from Deliveroo regarding the incident. In their statement to Forbes, they stated,
Deliveroo takes online security extremely seriously and has robust measures both to protect our systems and members of the public who have had their passwords compromised outside of Deliveroo. Sadly cyber criminals rely on the fact that people reuse the same passwords on multiple online services and use data breaches on other sites to try gain access to Deliveroo accounts. There has been no breach of Deliveroo’s internal systems.
So, for now, the only viable option for the Deliveroo customers is to keep an eye on their accounts. In case of any fraudulent activity, make sure to inform your bank as well as Deliveroo regarding the incident.
Last year, another food-delivery service DoorDash reset customers passwords after a credential stuffing attack.
Let us know your thoughts in the comments.