- One-fifth of food delivery accounts have been targets of hacking attempts, Sift found.
- The companies behind the apps use two-factor authentication less often than in other industries.
- Instacart, Walmart Spark, and other delivery services have had trouble with hackers.
Your DoorDash or other food delivery apps are a prime target for hackers.
About 20% of accounts for ordering and delivering restaurant food have been subject to an attempted account takeover by a hacker, according to Sift, a company that detects online fraud. That's much higher than the 2.5% average across all the industries Sift tracks, from cryptocurrency to transportation.
One reason: food delivery apps use two-factor authentication — like those codes texted to you before you can log in — less often than other kinds, Sift found. Just 3.5% of log-ins on food delivery apps asked for that kind of verification, making it easier for hackers to get in. Across all the apps that Sift tracks, that number was 10%.
"I know I have a few apps on my phone for food delivery, and none of them forced me to do any kind of step-up authentication," Brittany Allen, trust & safety architect at Sift, told Business Insider.
"For your bank, you're happy to have to show your fingerprint, get a text, enter a code, and go through a couple of steps," she said. Food delivery companies don't always ask the same when their customers log in, Allen added, though the accounts often contain valuable things for hackers, such as account balances and loyalty points.
Hackers also target food delivery accounts since many customers only use them periodically — meaning they're less likely to notice if someone takes control. "If you're not a power user, that's something that is even more attractive" to hackers, Allen said.
Once they have control, hackers can use the accounts to place orders or mine them for loyalty points. They can also sell them. Allen showed BI several channels on messaging app Telegram that purported to sell accounts for DoorDash, Instacart, and other delivery services.
Accounts are also advertised for sale on social media platforms like Meta's Facebook and Instagram, though some of the posts are running a different kind of scam: Taking buyers' money, then not sending anything in return, BI reported previously.
Increasingly, fraudsters don't need deep knowledge of technology or fancy equipment to steal accounts, Allen said. Many use a regular computer or smartphone. "You don't need a specialized tool or any kind of high-powered configuration," she said.
Hackers are nothing new for many of the delivery apps. Some hackers have been able to gain entry to some Instacart customers' accounts, for example, and then use them to obtain gift card codes without paying for them.
Gig workers' accounts are also a target. Some drivers for Walmart's Spark delivery service have had their accounts hacked. The accounts have then been used by others to shop and deliver orders through the service, drivers have told BI.
The apps have taken some steps to improve security. Last fall, for instance, Walmart started requiring Spark drivers to periodically verify their identity with a selfie — though the feature has malfunctioned for some legitimate drivers, kicking them off of the app.
Do you work for DoorDash, Instacart, Uber Eats, or another gig delivery service and have a story idea to share? Reach out to this reporter at [email protected]