According to information security specialists, several users of Deliveroo, a food delivery app, suffered the hacking of their accounts, as the app charged their accounts with hundreds of food and drinks bills that they never actually ordered.
One London resident who was affected by the incident claims that an unknown user made purchases at multiple food businesses, so the affected user received a bill of more than $150 USD.
Apparently most of the affected users are residents of London; although this is not the first time this company encounters a similar incident, it is clear that both Deliveroo and its users remain a very easy target for threat actors, information security experts mention.
However, the company claims that this incident is not due to a cyberattack, data breach or the like, but that attackers have been using login credentials stolen in other security incidents to try to access Deliveroo accounts, in what is known as credential stuffing attack.
According to information security specialists, credential stuffing is a really common and little complex hacking variant, as people often use the same password for more than one online platform or service, so threat actors only they have to try to enter the stolen passwords into the right accounts of potential victims using automated tools.
In addition, there are multiple phishing pages similar to the official Deliveroo platform used by hackers to trick users and extract their login credentials. As if that weren’t enough, malicious users can also purchase user data sets of these services on hacking forums for around $60 USD.
Through a statement, the company affirmed that “as an e-commerce company, data security is a really serious matter for Deliveroo. Highly stringent measures are being taken to prevent further damage from this incident”. According to specialists from the International Institute of Cyber Security (IICS), the company could easily identify fraudulent orders using some machine learning tools.