Hackers love to target your food delivery accounts

One reason: Food delivery apps use two-factor authentication — like those codes texted to you before you can sign in — less often than other types, Sift found. Only 3.5% of logins on food delivery apps requested this type of verification, making it easier for hackers to gain access. Across all apps tracked by Sift, that figure was 10%.

“I know I have a few apps on my phone for food delivery, and none of them required me to do any strong authentication,” said Brittany Allen, trust and security architect at Sift , to Business Insider.

“For your bank, you’re happy to have to show your fingerprint, get a text, enter a code and follow a few steps,” she said. Food delivery companies don’t always ask the same thing when their customers log in, Allen added, even though accounts often contain things valuable to hackers, such as account balances and loyalty points.

Hackers also target food delivery accounts because many customers only use them periodically, meaning they are less likely to notice if someone takes control of them. “If you’re not a power user, this is something even more attractive” to hackers, Allen said.

Once they have control, hackers can use the accounts to place orders or exploit them for loyalty points. They can also sell them. Allen showed BI several channels on the messaging app Telegram that claimed to sell accounts for DoorDash, Instacart and other delivery services.

The accounts are also advertised for sale on social media platforms like Meta’s Facebook and Instagram, although some posts use a different type of scam: taking buyers’ money and then sending nothing in return, BI reported previously.

Increasingly, fraudsters don’t need deep technology knowledge or sophisticated equipment to steal accounts, Allen said. Many use a regular computer or smartphone. “You don’t need a specialized tool or any kind of high-powered setup,” she said.

Hackers are nothing new to most delivery apps. For example, some hackers were able to access the accounts of certain Instacart customers and then use them to obtain gift card codes without paying for them.

Gig worker accounts are also a target. Some drivers for Walmart’s Spark delivery service have had their accounts hacked. The accounts were then used by others to purchase and deliver orders through the service, the drivers told BI.

The apps have taken some steps to improve security. Last fall, for example, Walmart began requiring Spark drivers to periodically verify their identity with a selfie — although the feature worked poorly for some legitimate drivers, locking them out of the app.

Do you work for DoorDash, Instacart, Uber Eats, or another gig delivery service and have a story idea to share? Contact this reporter at abitter@businessinsider.com