Shipt Gig Workers Are Facing a Wave of Hacks

Since June 10, gig workers around the country who work on the Target-owned delivery platform Shipt have reported an onslaught of hacks targeting their accounts that have resulted in the loss of up to three days of income.

Shipt has now confirmed to Motherboard that the delivery platform has been targeted by hackers who obtain gig workers' emails and passwords elsewhere to break into gig workers' accounts and steal their income. 

"Shipt recently detected an external effort to attempt to use emails and passwords obtained elsewhere to try to gain access to shopper accounts," Danielle Schumann, a spokesperson for Shipt, told Motherboard. "We want to be clear that this was not a breach of Shipt systems. We take data security very seriously and acted swiftly and thoroughly to protect shoppers and their accounts." 

On private Facebook groups, Motherboard viewed posts from 20 gig workers claiming they received a password reset email or had been locked out of their Shipt accounts since June 10. Some reported having income stolen, but the main issue for many workers is that they've been locked out of their primary source of income for days because Shipt temporarily closed their accounts. Some workers are still waiting to have their accounts reactivated.  

"I'm livid," Lynn Laing, a Shipt shopper in Huntsville, Alabama, whose account was disabled on Tuesday after someone tried to add a new debit card, told Motherboard. "As soon as they had offered two-factor authentication, I got it. I've done everything to keep my account safe." 

"They haven’t sent any company-wide announcement about this," she continued. "My question for Shipt is how are they going to compensate us for our lost wages? Because I'm not earning anything right now. A lot of us rely on Shipt as our sole source of income." 

Shipt, a growing competitor of the grocery delivery platform Instacart, has roughly 300,000 gig workers in the United States. 

Schumann, the Shipt spokesperson, said that the majority of gig workers who received the email to reset their password were inactive shoppers or were brand new to the platform and hadn't shopped yet. 

"As a preventative measure, we temporarily deactivated those accounts recognizing that those individuals were less likely to be closely watching their accounts," said Schumann. "Shoppers who were disabled in this process can contact support teams to have their accounts reactivated."

Shipt has been telling workers that they should turn on two-factor authentication and search the website haveibeenpwned.com to see if their emails have been part of any data breaches. There does not appear to be any sort of specific breach at Shipt. Based on what Shipt has said about the hacks, it seems that either workers are reusing login credentials that have been hacked from other services, or their email accounts are being hacked, which would allow hackers to change a target's Shipt password and login to their account. Motherboard has seen posts on hacking forums that claim to have made "config" files for Shipt accounts, which would allow hackers to churn through a large number of login credentials quickly. There is no evidence to show that this is how this current wave of hacks happened, but shows that hackers are interested in targeting Shipt shoppers.

"I've seen this happen to 10 different people in the past few days," a gig worker in Los Angeles whose account was disabled on June 10 told Motherboard. "I'm pissed off because things like this keep happening. I wasn't able to work on Friday or the weekend. This is my main source of income."

She had 2-factor authentication set up and received an email late at night on June 10 with a link to reset her password, according to documentation provided to Motherboard.

The worker says she did not try to reset her password—and was aware of the ongoing scams, so she immediately contacted Shipt, which disabled her account for three full days, including a Friday, one of her busiest days.

The incidents have sparked ire toward Shipt from gig workers specifically for a new payment option on all accounts that allows workers, and whoever gains access to their accounts, the ability to cash out instantly. Gig workers—who are especially vulnerable because of their employment status as independent contractors—have become regular targets of phishing scams and hacking during the pandemic on platforms such as Postmates and Instacart. 

In most recent cases, gig workers have become aware of the hacks when they receive password reset emails or emails notifying them that their payout info had been changed, often late at night. In other cases, gig workers try to login to their accounts to find out their passwords have changed.

Many workers online claim hackers had withdrawn their entire paychecks using Shipt's instant cashout feature, and while Shipt had promised to reimburse them, the fiasco of getting their account reopened, still set them back on several days of income. 

Unlike other recent schemes that prey on gig workers, including those at Shipt and Postmates, where scammers phish for passwords and login credentials over the phone, Shipt's gig workers whose accounts have been compromised in recent days say they were not contacted by scammers and, in many cases, had two factor-authentication set up, to prevent account theft. 

"We strongly encourage our shoppers to always use unique email and password combinations and to enable two-factor authentication on the Shipt Shopper app," Schumann, the Shipt spokesperson said. "We have been regularly reminding shoppers that these are critical steps they both can, and should, take."

Joseph Cox contributed reporting.