Deliveroo users are being charged for orders made on their account by third-parties using passwords taken from other breaches.
Deliveroo, one of the newest delivery takeaway food services where food is delivered to your door from your favourite restaurants. You order through their website and the food is couriered to you - providing food from restaurants that do not normally offer a delivery service.
The company suffered as a victim of cybercrime after a recent attack to their website. Users’ private accounts were targeted and had massive bills run up that they didn’t order, with food and drink being delivered to random addresses across the UK. Some users have said to have bills as high as £200 on their account that they did not order.
Deliveroo believe that their own system has not, in fact, been hacked, but that the targeted attacks were carried out using passwords stolen in previous data breaches on other companies. Deliveroo have reimbursed the effected users.
We talk to Mark James, ESET IT Security Specialist, about password safety online.
“This is an example of one of those instances where password reuse on a site that is possibly considered of secondary importance.
“We are often cautious about sites that are considered financial or high risk, but often don't apply the same level of concern over the lower ones.
“This of course can lead to exactly the issue we see here, data taken elsewhere reused to see ‘if it works’.
“Reusing passwords is bad regardless of the sites perceived importance.
“A good unique password is even easier with a password manager, of which many choices are available now both paid and free, a lot of them will enable you to score your existing passwords to check their strength and uniqueness.”
Do you use a password manager? Let us know on Twitter @ESETUK
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.