Deliveroo Account Hacked

RebelScorned

Hi guys - just a heads up - my Deliveroo account was hacked tonight. An order for £40 was made in London through my Deliveroo.ie account and payment card. I contacted my bank straight away and cancelled my bank card and then contacted Deliveroo who were little more than useless (we'll block your account now and someone else will get back to you in 48 hours). I've heard that some people have had subsequent orders made on their accounts even after Deliveroo said they were blocked so I've changed my password and removed my saved payment cards from the website anyway just in case.

Whilst I was annoyed that I now have to suffer the inconvenience of not having my debit card, I decided to have a quick look on Twitter and it appears that hundreds of people have also had their own Deliveroo accounts hacked, some to the tune of several hundred pounds. :eek::eek:

There has obviously been a very serious data security breach on the part of Deliveroo and they are, by all accounts and in my own experience, not doing very much about it. :mad:

I haven't seen any other instances yet of fellow Irish folk getting caught out but if it happened to me, I see no reason why it wouldn't happen to anyone else.

PLEASE go on to your Deliveroo accounts now,change your passwords and remove your saved payment card details. Err on the side of caution. I will get the money back from my bank and it was not a huge amount but I will probably be waiting two weeks for AIB to issue a new debit card and I don't have easy access to an AIB branch Monday-Friday with work.

I feel so violated

Cabaal

It's also just as likely that there has been no data breach and people used the same password on another site that had a breach. Or they fell for a phishing scam

RebelScorned

That is possible of course - just from what I have read online, there is a huge instance of Deliveroo accounts in particular that have been hacked, especially in the last week.

I originally thought the email I got from Deliveroo confirming the fraudulent order was a phishing email so I half dismissed it but I checked my online banking straight away and saw that the exact amount was taken from my Visa Debit card. I'm always extremely vigilant when it comes to phishing emails and within 60 seconds of getting that email and confirming that the amount was taken from my account, I had my card blocked by my bank.

No matter how vigilant you are or think you are or how unlikely you think it is that you will be caught out, I would encourage anyone who has a Deliveroo account to remove their saved payment information asap and change their password. Forewarned is forearmed.

dudara

Don't ever save your credit card details on a website. It's one of the simplest ways to prevent this from happening.

RebelScorned

I don't know what happened that my details were saved online - I can't ever remember opting to save details, in fact I would always select not to save or store any card details. I've definitely learned a lesson and will assess all websites that I've used my card on/ all passwords etc., just wanted to give folks on this here forum a heads up to try to prevent this happening to them!

Joseph

dudara wrote: »

Don't ever save your credit card details on a website. It's one of the simplest ways to prevent this from happening.

+1

My rule of thumb is the same. Bar some exceptions like Amazon

Joseph

Surely it should be fairly easy to pursue since obviously there is a record of who the deliveroo order was made to?

Cuddlesworth

Was your password on the service unique and was it a generic password you use.

Might be worth taking a gander at how many times an account of yours has been hacked(that we are aware of)

https://haveibeenpwned.com/

Cuddlesworth

Joseph wrote: »

Surely it should be fairly easy to pursue since obviously there is a record of who the deliveroo order was made to?

Police would not investigate or prosecute a 40 sterling food order.

RebelScorned

Joseph wrote: »

Surely it should be fairly easy to pursue since obviously there is a record of who the deliveroo order was made to?

You would certainly think so - but when I told my bank that I had an address and phone number on the email confirmation, they said their fraud team probably wouldn't care about pursuing it for the sake of £40, and when I sent the details to Deliveroo, they said I could report it if I wanted, and a customer care team will be in contact within 48 hours.

I'm getting the money back from my bank anyway and I presume bank will follow up with Deliveroo so there isn't really an incentive for me to pursue it any further and it looks like the thieves will get away with it.

tobdom

Report it to the Data Protection Commissioner if you feel Deliveroo haven't taken it seriously enough and if there appears to be several reported instances of it.

https://www.dataprotection.ie/docs/Making-a-Complaint-to-the-Data-Protection-Commissioner/r/18.htm

Fair enough, it could be from some other source, but any online service provider has an obligation to ensure their data security is up to scratch and to investigate any reported breaches......

The best case scenario you could probably hope for if you report it is that the DPC will contact Deliveroo and you would hope that that in itself might be enough for them to take a closer look at their security (if there are issues)

my3cents

OP I know it sounds like a police or bank matter but I'd drop the trading standards for the relevant area of London an email with all the information because they definitely used to cover this sort of stuff. I know because a relative in trading standards in the UK used to investigates these criminals.

vandriver

Joseph wrote: »

Surely it should be fairly easy to pursue since obviously there is a record of who the deliveroo order was made to?

Here's what will happen .Police will call to an address,where they will find its in 20 flats.And they won't have a flat number.
(The delivery driver,upon getting to the address,will see a bank of bells ,shrug and phone the fraudsters mobile ).

newdigi

Joseph wrote: »

+1

My rule of thumb is the same. Bar some exceptions like Amazon

happened to me with Amazon earlier this year. I don't store my payment details there any more either.

My password at the time was a complex (randomly generated) one used solely for Amazon. So I've no idea how they obtained it. I never pursued it either.

TrustedApple

In exp Deliveroo are next to useless support wise.

I had a order come nearly 30 mins late after the 45 min time frame i was giving.

The food was open and cold when i opened the bag right away so i got on the phone to them 20 mins on hold. Food basically fit for the bin. Got someone they said they will send out another order for me but will be another hour. So this is a good 2 hours + since i ordered .... I said no as i am hungry now and wont wait another hour can i get my money back they said no.

3 phone calls later i was refunded my 25 euros back to my card each one telling me a different thing. Since then i have not used Deliveroo as there support is so bad when you have a issue.

Fred Swanson

This post has been deleted.

ct5amr2ig1nfhp

Your Amazon account was hacked? Or the credit card you stored on Amazon was used fraudulently ?

newdigi wrote: »

happened to me with Amazon earlier this year. I don't store my payment details there any more either.

My password at the time was a complex (randomly generated) one used solely for Amazon. So I've no idea how they obtained it. I never pursued it either.

newdigi

Dominic Young Statistic wrote: »

Your Amazon account was hacked? Or the credit card you stored on Amazon was used fraudulently ?

looking back at it there now. I got an e-mail from amazon, attached to which was a chat transcript that I supposedly had with amazon saying that I never received an item that I had bought (and received) 3 months previously.

The chat text from this unknown person said that they never received the Samsung S6 that I had ordered 3 months previously. They went on to say sorry for the delay in contacting support but they were abroad as their grandmother was ill. Amazon, asked them for their name....the person gave my name, and the chat ended with amazon saying they would get back to this person.

I then received an e-mail from Amazon saying they were re-sending the item.
That's when I contacted them to cancel it.

I don't actually see the scam here. Apart from the fact that someone appeared to have been logged into my Amazon account....they knew the date the original order was placed, as well as the order number, and my name.
But surely the replacement phone was going to be sent to me as the address wasnt changed within the account. It's a strange one.

I did get a stock reply from Amazon, which included the following:

"we believe it may have been accessed and used by a third-party to attempt to make purchases without your permission. It seems that someone obtained your personal account and/or financial information elsewhere"

Anyway, since that day I removed my stored CC details from the site.

I suppose my point is, if at all possible, never store your CC details with a site.
Amazon customer service are excellent but you just never know elsewhere.

Zillah

I think I would rather run the risk of having my credit card details saved on sites I use regularly and potentially have a card compromised once in a blue moon - in which case I just have it cancelled and lose no money - than have to enter the details again and again, probably thousands of times over the years.

Lux23

Thanks for the heads up, I deleted the two cards on my account.

david75

Just been had by the deliveroo hack. €56 of food ordered to a house in south London.
Been into my bank and have had to cancel my card etc before I read and discovered this was an ongoing thing with them.

Their customer support is atrocious. They'll get back to me in 3 days apparently.
Sickened.

MOH

Seems to be pretty widespread

They're blaming reuse of passwords from other hacks rather than a data breach.

david75

They refunded me today after repeated mails on different platforms.

Hack was also covered on BBC 1s watchdog to knight and true to form they blamed customers using the same passwords on different online accounts.

Doesn't explain away them not asking for CVV nor them allowing their delivery guys drop off at places other than the address, this seems to be the emerging pattern for the hackers. Meeting the delivery guy at a local shop or church or landmark not the address theyve given.

It's thousands of people in the U.K. Been hacked now. Deliveroo have to do something to stop it. Surprised restaurants haven't been leaving them. No small restasuramt wants their name tarnished by association.

Cuddlesworth

david75 wrote: »

Hack was also covered on BBC 1s watchdog to knight and true to form they blamed customers using the same passwords on different online accounts.

Keep a eye on that over the next few years. It's a problem that's going to keep cropping up, people keep using the same username/email/password combo for sites and larger sites with huge databases are getting hacked all the time.

foggy_lad

Anyone else done by this "hack" can demand that their bank reverse the charge immediately as it is unauthorised. You don't have to wait on Deliveroo to sort their stall out and the extra charges on them might spring them to action.

david75

foggy_lad wrote: »

Anyone else done by this "hack" can demand that their bank reverse the charge immediately as it is unauthorised. You don't have to wait on Deliveroo to sort their stall out and the extra charges on them might spring them to action.

Did exactly this and was kinda treated like it was my fault by my bank.
They sent forms out that I had to get the gardai to sign. Every question came back to did you leave your card out? Did someone have access to your card? Did you sign up for a free subscription online?


Deliveroo refunded me within 2 days. All while blaming me for having similar passwords online. I now have no card and no access to my account unless I turn up at a bank with a passport. my bank wont give me a new card until I send this form back. And they made no move to make sure I have access to funds or anything like it until then.

Long story short. Stay away from permanent TSB.

Leaving them soon as this is over.

Joseph

david75 wrote: »

Did exactly this and was kinda treated like it was my fault by my bank.
They sent forms out that I had to get the gardai to sign. Every question came back to did you leave your card out? Did someone have access to your card? Did you sign up for a free subscription online?


Deliveroo refunded me within 2 days. All while blaming me for having similar passwords online. I now have no card and no access to my account unless I turn up at a bank with a passport. my bank wont give me a new card until I send this form back. And they made no move to make sure I have access to funds or anything like it until then.

Long story short. Stay away from permanent TSB.

Leaving them soon as this is over.

I have had consistently poor experiences with permanent TSB, not that any bank is going to be your friend but I'd recommend AIB.

ct5amr2ig1nfhp

Did you have the same password and email address for other sites though?

david75 wrote: »

Did exactly this and was kinda treated like it was my fault by my bank.
They sent forms out that I had to get the gardai to sign. Every question came back to did you leave your card out? Did someone have access to your card? Did you sign up for a free subscription online?


Deliveroo refunded me within 2 days. All while blaming me for having similar passwords online. I now have no card and no access to my account unless I turn up at a bank with a passport. my bank wont give me a new card until I send this form back. And they made no move to make sure I have access to funds or anything like it until then.

Long story short. Stay away from permanent TSB.

Leaving them soon as this is over.

david75

Dominic Young Statistic wrote: »

Did you have the same password and email address for other sites though?

A gmail account I had like two years ago that has never had my CC details in it. I'd just changed bank earlier this year in fact. Just don't know how they've gotten access.

It isnt about that though. It's about deliveroo not asking for cvv

rubadub

Joseph wrote: »

+1

My rule of thumb is the same. Bar some exceptions like Amazon

I used to trust amazon, but not any more. I accidentally signed up to prime and was billed for 2 months, I got refunded with little hassle TBH, but left a very bad perception of them. I think it was deliberate & planned deception.

I got absolutely no email indication/notification that any money was been taken form my account, no "thank you for your payment email" absolutely zero, and no explicit authorization was needed by me on the first nor second occasions. While if you go to actually buy something from them you get all sorts of confirmation from them, the lack of this convinced me this was a deliberate confidence trick.

If you look online you will see a huge amount of Uk customers also inadvertently signed up, few threads on boards too.

david75 wrote: »

Surprised restaurants haven't been leaving them. No small restasuramt wants their name tarnished by association.

I'd imagine the CC companies are not impressed with all their wasted admin costs either.

ct5amr2ig1nfhp

I do agree with you. Deliveroo should ask for a CVV number or secure code for each order - all websites should, however lots of other websites do not ask for either. Amazon for example.

While it's a right pain in the ar$e, it's a wake up call for anyone caught out to ensure they keep separate passwords for different websites. *could* have been a lot worse. Just from seeing the news on deliveroo, I've asked a few friends if they use the same email/password for sites and incredibly most of them said yes!

Perhaps Deliveroo should just reset all their customer passwords?

david75 wrote: »

A gmail account I had like two years ago that has never had my CC details in it. I'd just changed bank earlier this year in fact. Just don't know how they've gotten access.

It isnt about that though. It's about deliveroo not asking for cvv