Cyber Incident Victim: Deliveroo
Date:
Jun 2019
Location:
United Kingdom
Summary
Customers of a food delivery service and a competitor experienced fraudulent account takeovers resulting in unauthorized food orders, with attackers altering account emails and exploiting stored credits obtained through refund claims. The company attributed the incidents to credential reuse from external breaches, denying any compromise of their own systems. Multiple users reported delays in account deactivation after fraud reports, enabling attackers to place orders using existing balances and fraudulently obtained credits. One affected individual avoided financial loss by having no payment card linked. Both firms emphasized implementing enhanced security measures, including additional verification for account changes, while acknowledging occasional shortcomings in response times. The competitor separately confirmed isolated fraud cases tied to third-party credential misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2019, Deliveroo and Just Eat customers reported unauthorized access to their accounts, resulting in fraudulent food orders. Customers discovered the compromise when they received automated emails notifying them of changes to their account email addresses. Attackers exploited stored account credits or fraudulently obtained refund credits to place orders, often specifying unconventional delivery instructions such as "ring when close for detailed delivery instructions." One Deliveroo customer, Andrew Shaw, reported fraudulent activity but experienced a five-day delay before account deactivation, during which three unauthorized orders totaling £38 were placed using existing credits and refund-obtained funds. Another customer, Ian Cutress, avoided financial loss because his card details were unlinked, limiting the fraudster to using £11 of existing credit for an order near his location. Both companies confirmed investigating the incidents but denied any breach of their internal systems, attributing the compromises to credential reuse from unrelated third-party breaches.
Deliveroo stated it had implemented enhanced security measures earlier in 2019, including additional verification steps for account changes, and acknowledged occasional failures to meet response expectations. Just Eat described the fraud reports as "isolated" and emphasized ongoing reviews of its security protocols, which it deemed robust. Customers impacted by the fraud faced inconvenience, with some canceling bank cards after unauthorized Just Eat transactions. Historical context revealed prior similar incidents, including a 2016 Deliveroo breach involving hundreds of pounds in fraudulent charges. Neither company disclosed the total number of affected users, but social media and direct complaints indicated multiple cases. Both firms liaised directly with reporting customers to address account security and transaction disputes, though resolution timelines varied. The incidents underscored persistent risks associated with password reuse across platforms despite repeated warnings from cybersecurity authorities.