SociDeck is a feature-packed social media management software that converts social conversations into conversions by allowing users to manage their 3 biggest social media accounts- Facebook, Twitter and Instagram at one place.
Several Deliveroo customers told the BBC they realised their accounts had been accessed when they received an email from the company saying the email address linked to their account had been changed.
Fraudsters then ordered food through their account using credit obtained by claiming refunds for previous orders.
Deliveroo said cyber criminals relied on people reusing passwords for multiple online services and used data breaches on other sites to try to access Deliveroo accounts.
Andrew Shaw, 33, from London, said he had to wait five days after he reported fraudulent activity on his account before Deliveroo shut it down.
By this point Mr Shaw had already cancelled his card and three orders had been placed, using £11 credit he already had on his account and £27 credit obtained from a refund.
A Deliveroo spokesman said: “There are rare occasions we don’t meet the high standards our customers expect and we are working hard to correct and address the issues raised.”
The company said it takes security “extremely seriously” and is continually rolling out measures to combat fraud, including introducing extra security checks when it detects changes to account details.
Another customer, Ian Cutress, 33, from London, said an order was placed on his account to an estate less than three miles away, with instructions to “ring when close for detailed delivery instructions”.
After contacting Deliveroo, the company deactivated the account.
Mr Cutress said he was relieved his card details were not attached to his account, so the fraudster was only able to place an order using refund credit and he was not left out of pocket.
Just Eat also confirmed it had received reports of “isolated” fraudulent activity, which it said appeared to be the result of “malicious third parties using usernames and passwords from an unknown source”, which was not Just Eat.
To avoid being hacked, Action Fraud advises using strong, unique passwords for online accounts and, where available, enable two-factor authentication, which means the account can only be accessed with a device you have already registered.