Cyber Incident Victim: Deliveroo
Date:
Nov 2016
Location:
United Kingdom
Summary
Deliveroo customers experienced unauthorized charges for food deliveries they did not order, with fraudulent purchases including multiple orders sent to various addresses. The company attributed the account compromises to criminals exploiting passwords stolen from unrelated third-party breaches, clarifying that no financial data was directly stolen from its systems. Affected users received refunds for the fraudulent transactions. A security expert highlighted that the platform's streamlined ordering process, while convenient, reduced authentication safeguards, inadvertently facilitating such fraud. The firm reiterated its commitment to customer security but acknowledged the incidents involved stolen food orders rather than compromised payment details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2016, Deliveroo customers reported unauthorized charges on their accounts for food deliveries they did not order, as documented by the BBC's Watchdog programme. The incident involved attackers compromising user accounts to place fraudulent orders, with multiple victims identified across the UK. Judith MacFadyen from Reading discovered four unauthorized orders for a burger joint in Chiswick after receiving a confirmation email, while Margaret Warner from Manchester was charged £113.70 for chicken, waffles, and chips delivered to an unknown address. Steve Tappin incurred a £98 charge for a TGI Friday’s order delivered 86 miles from his home. All fraudulent transactions occurred on or before November 23, 2016, with Deliveroo confirming refunds for the affected users. The company stated no financial data was stolen, attributing the breaches to credential stuffing—attackers using passwords leaked from unrelated third-party services to access Deliveroo accounts. The incident highlighted the reuse of compromised credentials across multiple platforms, though Deliveroo emphasized such fraud was rare on its system.
Deliveroo responded by asserting that the issue stemmed from external password breaches rather than vulnerabilities in its own infrastructure. The company advised customers to adopt strong, unique passwords for each online service to prevent similar incidents. Technology expert David McClelland criticized Deliveroo’s security practices, noting that the platform’s emphasis on transaction convenience—such as minimizing authentication steps—reduced barriers for fraudsters. While Deliveroo maintained that customer security was a priority, McClelland argued that removed security measures inadvertently facilitated unauthorized purchases. The Watchdog investigation revealed no evidence of stolen payment details, as attackers exploited account access rather than financial system breaches. Deliveroo’s refunds addressed immediate financial impacts, but the incident underscored operational risks associated with credential reuse and streamlined checkout processes.