TaskRabbit has reset an unknown number of customer passwords after confirming it detected “suspicious activity” on its network.
The IKEA-owned online marketplace for on-demand labor said it reset user passwords out of an abundance of caution and that it “took steps to prevent access to any user accounts,” a TaskRabbit spokesperson told TechCrunch.
The company later confirmed it was a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are matched against different websites to access accounts.
“We acted in an abundance of caution and reset passwords for many TaskRabbit accounts, including all users who had not logged in since May 1, 2020, as well as all users who logged in during the time period of the attack, even though most of the latter activity was attributable to users’ regular use of our services,” the spokesperson said.
“As always, the safety and security of the TaskRabbit community is our priority, and we will continue to be vigilant about protecting our users’ personal information,” said the spokesperson.
TaskRabbit customers were alerted to the incident in a vague email that only noted their password had been recently changed “as a security precaution,” without saying what specifically prompted the account change. TechCrunch confirmed that the email was legitimate.
It’s not uncommon for companies to reset passwords after a security incident where customer or account information is accessed or stolen in a breach.
Last year, online apparel marketplace StockX reset customer passwords after initially citing “system updates,” but later admitted it took action after it found suspicious activity on its network. Days later, a hacker provided TechCrunch with 6.8 million StockX account records stolen from the company’s servers.
TaskRabbit’s freelance labor marketplace was founded in 2008, and grew over time from an auction-style platform for negotiating tasks and errands to a more mature and tailored marketplace to match customers with contractors. That eventually attracted the attention of furniture retailer IKEA, which bought the startup in September 2017 after TaskRabbit put itself on the market for a strategic buyer.
The year after the acquisition, however, TaskRabbit had to take its website and app down due to a “cybersecurity incident.” The company later revealed an attacker had gained unauthorized access to its systems. Then-TaskRabbit CEO Stacy Brown-Philpot said the company had contracted with an outside forensics team to identify what customer information had been compromised by the attack, and urged both users and providers to stay vigilant in monitoring their own accounts for suspicious activity.
Following the attack, the company said it was implementing several new security measures and would work on making the log-in process more secure. It also said it would reduce the amount of data retained about taskers and customers as well as “enhance overall network cyber threat detection technology.”
Updated with additional comment from TaskRabbit.