Cyber Incident Victim: TaskRabbit
Date:
Dec 2020
Location:
United States of America
Summary
TaskRabbit reset customer passwords following detection of suspicious network activity attributed to a credential stuffing attack, where attackers used previously exposed credentials to access accounts. The company proactively reset passwords for inactive users and those active during the attack period, though most activity was deemed legitimate. This incident follows a prior cybersecurity breach where unauthorized system access occurred, prompting enhanced security measures including reduced data retention and improved threat detection. The company emphasized user safety as a priority but provided limited details in customer notifications, only citing security precautions for password changes. TaskRabbit, acquired by IKEA, had previously experienced a significant cyberattack leading to system downtime and forensic investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
TaskRabbit detected suspicious activity on its network in December 2020, prompting a precautionary password reset for an unspecified number of customer accounts. The company confirmed the incident involved credential stuffing, where attackers used previously breached username and password combinations to attempt unauthorized access. As a containment measure, TaskRabbit reset passwords for all users who had not logged in since May 1, 2020, and all accounts that showed activity during the attack period—though most of the latter were later attributed to legitimate usage. Affected customers received automated emails stating their passwords had been changed "as a security precaution" without explicit details about the credential stuffing campaign. A company spokesperson emphasized acting out of caution to prevent account compromises, stating no evidence suggested successful breaches beyond the login attempts. This marked TaskRabbit’s second significant cybersecurity incident since its 2017 acquisition by IKEA, following a 2018 breach that forced temporary shutdowns of its website and app.
The 2018 incident involved confirmed unauthorized system access, after which TaskRabbit engaged external forensic investigators to assess data exposure. Then-CEO Stacy Brown-Philpot publicly urged users and contractors to monitor their accounts for anomalies while the company implemented enhanced security protocols. Post-incident reforms included reducing retained customer and tasker data volumes, strengthening login authentication processes, and upgrading network threat detection capabilities. TaskRabbit’s leadership transitioned in 2020 when Brown-Philpot departed, with Ania Smith—formerly of Airbnb and Uber Eats—assuming the CEO role months before the credential stuffing attack. The 2020 password reset aligned with industry practices following security events, comparable to StockX’s 2019 response to network intrusions that later revealed mass data theft. TaskRabbit maintained its 2020 communications emphasized user protection without disclosing attack metrics or confirming whether any accounts were fully compromised during the credential stuffing campaign.