Your food-delivery app is under attack by hackers so here's what to do

A deliveryman hands a bag to a woman waiting at her front door.
(Image credit: buryakphoto/Shutterstock)

Watch out: Your food-delivery app may be delivering your pizza, tacos and credit cards to cybercriminals.

So warns the FBI in a private alert sent out to the food industry last week and seen by The Record. In it, the Bureau says that criminals are using credential stuffing attacks to break into grocery and restaurant delivery apps, such as Seamless, DoorDash or Instacart, to place fraudulent orders and steal credit cards.

"In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web," says the FBI about one case history detailed in the report. 

"The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing."

You'll want to check your food-delivery accounts for any strange orders that you didn't place, and your credit-card accounts for unusual activity. Report anything that you can't account for to your credit-card issuer.

Most food-delivery apps have weak protections

One of the most effective defenses against credential stuffing is two-factor authentication (2FA), a basic form of account protection that requires a user logging from a new device or location to provide an additional one-time code. 

Tom's Guide signed up for seven well-known food- and grocery-delivery services and found that only two — UberEats and Postmates, both owned by Uber — offered 2FA as an option.

DoorDash, Grubhub, Instacart, Seamless and Stop & Shop GO Pass did not give us any 2FA option. If there's none available, then all it would take to hijack an account on those services is a stolen username and password, and that's exactly what credential stuffing is designed to do.

Credential stuffing is simple. There are hundreds of millions of stolen username-password pairs, or credentials, floating around online, obtained from data breaches or successful phishing attacks. Because many people reuse their passwords, a lot of those stolen credentials will unlock more than one online account.

So cybercriminals have created computer programs that fire stolen credentials at website login pages like bullets from a machine gun. A fair number of those credentials will successfully log in and give the criminals access to online accounts.

If those accounts contain credit-card information, or permit one-click ordering or free delivery, then it's party time for the crooks. They can change the delivery address on the account to have burritos, beer or groceries sent to their buddies. If the credit-card information isn't properly protected, the card numbers can be stolen too.

How to protect yourself against these attacks

You can protect yourself against credential stuffing by never reusing a password, especially on accounts that permits financial transactions of any kind. Instead, use one of the best password managers — some of them are free — to create and remember the passwords for you, or just write your passwords down in a notebook that you keep locked in a desk drawer.

You also should enable 2FA on any online account that supports it. Even passwords used for only account can get stolen in data breaches, and 2FA will make it much harder for crooks to hijack accounts even if they have the passwords.

If your food-delivery app doesn't support 2FA, switch to one that does, like UberEats or Postmates. Use the online 2FA Directory to publicly call out those companies that don't offer 2FA. 

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.