Your food-delivery app is under attack by hackers so here's what to do

A deliveryman hands a bag to a woman waiting at her front door.
(Image credit: buryakphoto/Shutterstock)

Watch out: Your food-delivery app may be delivering your pizza, tacos and credit cards to cybercriminals.

So warns the FBI in a private alert sent out to the food industry last week and seen by The Record. In it, the Bureau says that criminals are using credential stuffing attacks to break into grocery and restaurant delivery apps, such as Seamless, DoorDash or Instacart, to place fraudulent orders and steal credit cards.

"In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web," says the FBI about one case history detailed in the report. 

"The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing."

You'll want to check your food-delivery accounts for any strange orders that you didn't place, and your credit-card accounts for unusual activity. Report anything that you can't account for to your credit-card issuer.

Most food-delivery apps have weak protections

One of the most effective defenses against credential stuffing is two-factor authentication (2FA), a basic form of account protection that requires a user logging from a new device or location to provide an additional one-time code. 

Tom's Guide signed up for seven well-known food- and grocery-delivery services and found that only two — UberEats and Postmates, both owned by Uber — offered 2FA as an option.

DoorDash, Grubhub, Instacart, Seamless and Stop & Shop GO Pass did not give us any 2FA option. If there's none available, then all it would take to hijack an account on those services is a stolen username and password, and that's exactly what credential stuffing is designed to do.

Credential stuffing is simple. There are hundreds of millions of stolen username-password pairs, or credentials, floating around online, obtained from data breaches or successful phishing attacks. Because many people reuse their passwords, a lot of those stolen credentials will unlock more than one online account.

So cybercriminals have created computer programs that fire stolen credentials at website login pages like bullets from a machine gun. A fair number of those credentials will successfully log in and give the criminals access to online accounts.

If those accounts contain credit-card information, or permit one-click ordering or free delivery, then it's party time for the crooks. They can change the delivery address on the account to have burritos, beer or groceries sent to their buddies. If the credit-card information isn't properly protected, the card numbers can be stolen too.

How to protect yourself against these attacks

You can protect yourself against credential stuffing by never reusing a password, especially on accounts that permits financial transactions of any kind. Instead, use one of the best password managers — some of them are free — to create and remember the passwords for you, or just write your passwords down in a notebook that you keep locked in a desk drawer.

You also should enable 2FA on any online account that supports it. Even passwords used for only account can get stolen in data breaches, and 2FA will make it much harder for crooks to hijack accounts even if they have the passwords.

If your food-delivery app doesn't support 2FA, switch to one that does, like UberEats or Postmates. Use the online 2FA Directory to publicly call out those companies that don't offer 2FA. 

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Amazon GrubHub delivery
Grub Hub data breach exposed contact and payment information of diners, merchants and drivers — here’s what we know
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
Surfshark graphic of 2024 data breaches
Nearly 700 million American records were leaked in 2024
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Green skull on smartphone screen.
Hackers are spreading info-stealing malware and taking over accounts using fake wedding invitations — how to stay safe
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to keep your DNA from being sold
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
23andME box
23andMe has declared bankruptcy — here's how to keep your DNA from being sold
half-life alyx
Latest Half-Life 3 rumors point to a 2025 release — and maybe pigs will fly
NFL Sunday Ticket logo for YouTube
NFL Sunday Ticket 2025 pricing revealed — and it's bad news
Ben Mendelsohn in Andor season 2
'Welcome to the Rebellion' — new ‘Andor’ season 2 trailer teases a darker edge
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
ChatGPT on iPhone
ChatGPT was down — updates on quick outage