HACKERS are selling log-in details to Brits’ Tesco, McDonalds and Deliveroo accounts that allow other petty crooks to steal Clubcard points or order “free” food.
After stealing vast databases of customers’ personal data from big firms, they sell it on the dark web for as little as 42p per account in the case of Tesco.
Which? says this highlights the dangerous knock-on effects of being involved in a data breach - or companies not prioritising security highly enough.
The watchdog worked with security experts Red Maple Technologies to investigate what personal data is advertised for sale on both the open internet and the dark web – a secret part of the web used by crooks who trade stolen or illegal goods using Bitcoin.
One seller claimed to have data that included “Tesco accounts with usernames, passwords and loyalty card balances”.
The seller was offering the accounts in 2,000 blocks that worked out at 42p each. They claimed to have hundreds of thousands of Clubcard accounts for sale in total.
Researchers also found accounts for food delivery service Deliveroo - which has seen a surge in users during the Covid crisis - being advertised on dark web markets for £4.30.
Buyers can use the stolen accounts, what will have payment cards set up, to order currys, pizzas and burgers.
Deliveroo still does not offer two-factor authentication - an important additional security measure - on accounts to help customers protect themselves.
Which? also found “My McDonald’s” accounts for sale on the dark web, along with instructions on how to use them with the mobile app. The instructions advise someone to go to a McDonald’s restaurant, make their order through the compromised account, and then pick it up.
The stolen account can cost just a few pounds, but could result in an order of well over £30.
The details are not always stolen directly from big companies who tend to have good cybersecurity. Instead they can be hacked from less secure websites - smaller retailers or other web services - where customers re-use log-in details.
Tesco confirmed in March last year that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers.
Tesco declined to comment after Which? approached the supermarket.
Deliveroo said: “Deliveroo takes online security extremely seriously and is constantly working to help protect customers against unauthorised logins by cyber criminals.
“We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters. We also partner with anti-fraud companies to address misuse of card information and we regularly remind customers to use new, strong, unique passwords to protect their Deliveroo accounts.
PLAY ONPS5 stock checker UK – Argos, BT and EE to drop new PlayStation 5 stock
VIRAL SCAMBeware this Covid-19 vaccine NHS email scam that experts warn is 'convincing'
BAD ROMANCEDating app Grindr fined £8.5MILLION for selling user data – including location
AN APPLE A DAYUpdate your iPhone NOW – Apple releases fix to mend dangerous security bugs
AIR FAIRFlying 'drone' taxis to be trialled in Bristol – whizzing you over traffic by 2023
CONSOLE WARSArgos PS5 stock pinched by greedy scalpers BEFORE it goes on sale
“As a business, we are committed to tackling illegal activity and developing new and market leading innovations to protect our consumers against criminal hackers.”
A McDonald’s spokesperson said: “Unfortunately unwanted transactions do occur due to customers’ details being compromised by other websites, which is why we regularly add additional layers of fraud protection and security to our app.
"These include device identification and additional fraud detection software, and we recommend customers use a unique password for their account. We also have a number of measures in place to mitigate any breaches, such as Bot Protection and we remain confident that we have never had a breach of our systems.”
GOT a story? RING The Sun on 0207 782 4104 or WHATSAPP on 07423720250 or EMAIL [email protected]