Deliveroo customer accounts hacked and billed for takeaway food

Customers of the takeaway app Deliveroo were billed for food they did not order after their passwords were stolen and their accounts were hacked.

One user received a bill for £200 ($247) on burgers delivered to several other addresses, according to the BBC's Watchdog programme, which investigated the hack.

Another user was charged £98 for food delivered to an address 86 miles away from his home.


The takeaway app, which was launched in 2013, said the incidents only involved stolen food; no financial information was stolen and customers were reimbursed.

"Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously," the company said in a statement sent to CNBC.

"These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."

Deliveroo added that it is constantly improving its security measures. Recently, it has begun frequently asking customers to verify themselves when they enter a new delivery address.

However, the incident illustrates the problem of the "domino effect" in data breaches, where information stolen from one source is used to access another account, explained Kevin Cunningham, founder and president at identity company, SailPoint.

"Identity has become the new attack vector. And hackers are all over that fact – finding those orphaned accounts to grab and log into behind the scenes without an IT admin even knowing about it. Or, taking stolen credentials from one breach and using them to access another website. All because a user chose to reuse a password across multiple sites – a very common occurrence," he told CNBC via email.

Cunningham suggested consumers need to use a unique password for every application and to make sure the password is long and complex, made up of at least 12 characters.

"Protecting identity is key: to the safety of our own personal data, to the security of sensitive company data and files, and, to the safety of sensitive data in an organisation that may not even be linked to your own," he added.

Follow CNBC International on Twitter and Facebook.