TaskRabbit reset an unknown number of customer passwords after confirming "suspicious activity" was found on its network.
The IKEA The online marketplace for on-demand employees said it was carefully resetting user passwords and "took steps to prevent access to user accounts," a TaskRabbit spokesperson told TechCrunch.
The company later confirmed that it was a credentials stuffing attack that matched existing sets of disclosed or compromised usernames and passwords against various websites to access accounts.
“We have taken great caution and reset passwords on many TaskRabbit accounts, including all users who haven't logged in since May 1, 2020, as well as all users who logged in during the attack period, despite most of the latter activity was due to the regular use of our services by users, ”said the spokesman.
"As always, the security of the TaskRabbit community is our priority and we will continue to be vigilant when it comes to protecting our users' personal information," the spokesman said.
TaskRabbit customers were made aware of the incident in a vague email that only stated that their password had recently been changed "for security reasons" without saying what specifically led to the change in the account. TechCrunch confirmed the email was legitimate.
It is not uncommon for companies to reset passwords after a security incident in which customer or account information is compromised or stolen.
Last year, the online apparel market StockX reset customer passwords after initially quoting "system updates" but later admitted that it took action after discovering suspicious activity on its network. Days later, a hacker provided TechCrunch with 6.8 million StockX account information stolen from the company's servers.
TaskRabbit's freelance labor market was founded in 2008 and has evolved over time from an auction-style platform for negotiating tasks and errands to a more mature and bespoke marketplace for connecting clients with contractors. This eventually caught the attention of furniture retailer IKEA, who bought the startup in September 2017 after TaskRabbit launched itself for a strategic buyer.
However, the year after the acquisition, TaskRabbit had to shut down its website and app due to a "cybersecurity incident". The company later announced that an attacker had gained unauthorized access to its systems. TaskRabbit's then CEO Stacy Brown-Philpot said the company had signed a contract with an outside forensics team to determine what customer information was compromised by the attack and asked both users and vendors to monitor theirs own accounts to stay vigilant for suspicious activity
Following the attack, the company announced it was implementing several new security measures and is working to make the login process more secure. It also said it would reduce the amount of data stored about Tasker and customers, and "improve all of the technology used to detect cyber threats on the network."
Brown-Philpot left TaskRabbit earlier this year, and the CEO role has since been taken over by former Airbnb and Uber Eats executive Ania Smith.
Updated with additional comment from TaskRabbit.