Deliveroo Hasn't Been Hacked - But Has Still Cooked Up An Important Lesson On Password Security

By James O Malley on at

Do you use the same password for a number of different apps and websites? Now might be the time to change that.

The BBC's Watchdog programme has revealed that some Deliveroo customers have been billed for food they didn't order - because thieves had been able to login and order using passwords obtained by hacks on other, unrelated websites. It's simply because the user had the same credentials for Deliveroo, that they were able to get in.

The Beeb gives the example of Judith MacFayden, who lives in Reading but discovered that nefarious types had ordered burgers from a place in Chiswick, and over the course of one afternoon had made four orders to a couple of addresses in London. Another customer found herself £113 out of pocket because of a rogue chicken, waffle and chips, and one chap was charged £98 for a TGI Friday that was 86 miles away from where he lived. All have since been given refunds.

In a statement to Watch Dog, Deliveroo apparently said "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem, we take it very seriously". Perhaps it is time for the company to enable two-factor authentication? [BBC]