Mystery Deliveroo food orders traced to sale of details on dark web

24 Jul 2019

Deliveroo box beside a delivery bike. Image: ifeelstock/Depositphotos

A number of Deliveroo customers have found themselves at the end of breaches that could see their accounts sold on the dark web for a few dollars.

If you’ve come across mysterious Deliveroo orders on your account ranging in the hundreds of euros, then you’re not alone. Over the past few months, users have reported huge bills for food they never ordered and places that they would never order from.

Now, Forbes has reported that the details for these breached accounts are being bought by hungry hackers for as little as $6 on the dark web. Details are being harvested in a number of different ways, but one of the most popular is a well-known phishing scam.

An unsuspecting Deliveroo user would sign in to a website with a login screen almost identical to the real page, but is actually a phishing page that harvests their details. This information is reportedly selling on the dark web for up to $60.

Additionally, those with access to details of massive data breaches try and see if the usernames and passwords found work for other popular services, such as Deliveroo.

Security analyst Emily Wilson of Terbium Labs identified both the sale of individual accounts on the dark web, but also a phishing page for sale. This page would falsely offer Deliveroo users a gift card in exchange for completing a survey and putting in their credit card and account details.

Another security outfit looking into the scams found the existence of a Deliveroo account search program. This lets a person input usernames and passwords scraped from breaches and then tells them which accounts will work for the platform.

Deliveroo response

When responding to cases of misuse, Deliveroo users have reported the company deleting their accounts entirely, requiring them to set up a new one. However, the company typically covers losses as a result of breaches.

The food delivery company has responded to the surge in breaches by saying it is working hard on the issue and is developing stronger fraud-prevention software that can flag potential dubious transactions.

“Sadly, cybercriminals rely on the fact that people reuse the same passwords on multiple online services, and use data breaches on other sites to try gain access to Deliveroo accounts. There has been no breach of Deliveroo’s internal systems,” a spokesperson said.

Deliveroo box beside a delivery bike. Image: ifeelstock/Depositphotos

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com