Deliveroo has been forced to deny that it has been targeted by hackers after an investigation found some customers were charged for food they had not ordered.
A probe by the BBC's Watchdog show due to be shown tonight, found several examples of customers who were billed hundreds of pounds for food deliveries they did not make.
The company said there has been no breach of customers' financial information and put it down to users' own password security.
"We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach," the startup said.
"The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use."
The firm also stated a number of measures it used to ensure the security of customers' information, including anti-fraud measures and anomaly detection techniques with machine learning to detect unusual activity and block it.
"It is our policy not to comment on specific anti-fraud countermeasures because we don't want to provide public guidelines on how we detect fraud to criminals," the company said in a statement.
"That said, we can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address."
It also said that it worked closely with customers in fraud cases, including reimbursing money and working with authorities where appropriate.
The fraud is just one example of the "domino effect" of hacks, where stolen credentials can be used to log into multiple online accounts other than the one directly targeted.
“This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organisations," said Kevin Cunningham, founder of the identity management software company Sailpoint.
"Taking stolen credentials from one breach and using them to access another website, all because a user chose to reuse a password across multiple sites is a very common occurrence.
"Use a unique password for every application. Make sure the password is long and more complex – ideally twelve characters should be thought of as a minimum."
Some Uber customers have also been subject to fraudulent activity, being charged for journeys they took in countries they never visited. The startup also said it was not targeted by hackers and does not store credit card details itself (a third party does), but it said reusing passwords was behind the fraud.
It comes as concerns were raised around striking the balance between making online shopping simple for customers and ensuring transactions are secure.
The European Banking Authority plans to introduce new rules under the wider Payment Services Directive (PSD2) regulation which will require two-factor authentication for any transactions over €10.
This will mean a password, biometric verifications or code will be needed as standard, putting an end to one-click checkouts and automatic in-app payments where card details are already stored - processes used by the likes of Deliveroo, Uber, Amazon and many online companies.
However, Visa has warned that the plans will cause serious disruption for customers and online retailers.
"The plans will bring a host of complications and inconveniences including more declined transactions and longer and more complicated checkout experiences with little if any benefit to consumers," said chief risk officer for Visa Europe Peter Bayley, noting that fraudulent payments accounted for less than five cents in every €100 spent and that merchants and banks are prepared to take on the risk to ensure seamless shopping experiences.
“Managing payments is always about balancing security and convenience. If you tip the balance too far one way, you end up making it either too difficult or too risky for consumers to make purchases wherever, whenever and on whatever device they want. Either way it annoys consumers and damages businesses’ potential to sell their goods and services."