Deliveroo customers get hacked, go hungry, and foot the bill

It seems free food does indeed taste better, with hackers now targeting the takeaway service's customers to satisfy their cravings.
Written by Charlie Osborne, Contributing Writer

If you're being charged by Deliveroo for food you did not order, do not ignore it, as a new investigation by BBC One Watchdog has discovered customer accounts are being compromised by attackers.


Launched in 2013, Deliveroo is a company which is enjoying success as a new player in the takeaway industry. You order from local restaurants through a smartphone app, and delivery riders jump on their bicycles or scooters and peddle your food to you, most often within the hour.

Most of the time, as a service I too have used, it's a good system. However, there is one key element which is placing customers at risk -- and cyberattackers are exploiting it.

When you've signed up for an account, you do not need to enter the security code on the back of your card for each order.

In a new investigation conducted by BBC investigators, the team said "scores" of Deliveroo customers have had their accounts compromised and they have been charged for food and drink they never ordered. Once an account was broken into, cybercriminals simply changed the phone number and delivery address on the app and many customers are none the wiser until they check their bank statements or receive a "thank you" email note from Deliveroo.

BBC Watchdog outlined a number of separate cases, including Judith MacFadyen from Reading who was charged over £240 for food ordered from a burger joint; Margaret Warner from Manchester who was charged £113.70 for chicken, waffles, and chips; and Steve Tappin who was charged £98 for a delivery from a TGI Friday 80 miles away from his home.

In one extreme case, a pair of students at Southampton University whoshare a Deliveroo account were charged for chicken, curry, pizza, cheesecakes, and eight bottles of vodka.

Deliveroo failed to pick up the stream of fraudulent orders which were made at 2:30 a.m. on the same night from addresses miles apart from each other in this case, and the pair lost £440 in total.

In response to the investigation, Deliveroo was quick to point out the fraud "involve stolen food, not credit card numbers," and deny that any internal data breach has occurred.

Instead, it may be that passwords used to protect the app itself are taken from other services that have experienced a data breach and then used to access the victim's Deliveroo account fraudulently.

Victims were refunded, but that is hardly the point.

If you had to input the security code of the card used to order in every case, simply having the app password would not be enough to hack an account. Fraudulent purchases may be limited to food orders, but when customers can lose hundreds of pounds because of it, it is no matter to simply brush under the carpet.

A Deliveroo spokesperson said:

"It is our policy not to comment on specific anti-fraud countermeasures because we don't want to provide public guidelines on how we detect fraud to criminals. That said, we can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices.

Recently, this included frequently asking customers to verify themselves when entering a new address.

On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

If you're in the UK, you can learn more about the investigation tonight at 8 p.m. on BBC.

The 10 step guide to using Tor to protect your privacy

Editorial standards