Watch out: your food delivery app could be delivering pizzas, tacos, and credit cards to cybercriminals.

So warns the FBI in a private alert sent to the food industry last week and seen by The Record. In it, the FBI said criminals are using credential-stuffing attacks to break into grocery and restaurant delivery apps such as Seamless, Door Dash, and Instacart to place fraudulent orders and steal credit cards.

"In July 2020, personal information of grocery delivery company customers was sold on the dark web," the FBI said of one case detailed in the report.

"Information on approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about unauthorized orders and believed the conduct was the result of credential stuffing.

You want to check your home-delivery food account for strange orders you don't remember placing and check your credit card account for unusual activity. Anything you don't remember should be reported to your credit card issuer.

Tom's Guide signed up for seven well-known food and grocery delivery services and found that only two, UberEats and Postmates, offer 2FA as an option.

DoorDash, Grubhub, Instacart, Seamless, and Stop & Shop GO Pass did not offer the 2FA option. If none were available, all that was needed to hijack accounts for these services was a stolen username and password, which is exactly what credential staffing is designed to do.

Credential Staffing is simple. Stolen username/password pairs, or credentials, obtained through data breaches or successful phishing attacks, number in the hundreds of millions online. Because many people reuse passwords, many of the stolen credentials unlock multiple online accounts.

Cybercriminals have therefore created computer programs that shoot stolen credentials into website login pages like machine gun bullets. A significant number of these credentials successfully log in, allowing the criminals to access the online accounts.

If these accounts contain credit card information or allow one-click ordering or free shipping, it is party time for the fraudsters. They can change the shipping address on the account and send burritos, beer, or groceries to their buddies. If credit card information is not properly protected, card numbers can be stolen as well.

They can protect themselves from credential stuffing by not reusing passwords. Instead, use the best password managers (some are free) to create and remember passwords, or write them down in a notebook that you keep locked in a desk drawer.

Also, for online accounts that support 2FA, 2FA must be enabled. Even if you know the password, 2FA makes it much harder for fraudsters to take over your account.

If your food delivery app does not support 2FA, switch to an app that does, such as UberEats or Postmates. Use the online 2FA Directory to publicly call out companies that do not offer 2FA.