As Uber account compromises continue, company says they weren’t breached
Transport service company Uber has had its fair share of problems through the years, but lately instances of hacked accounts and fraudulently booked trips seem to have increased, fueling speculations that the company has suffered a data breach.
Alan White has a good collection of recent Twitter complaints about hacked accounts, changed emails and phone numbers, and fraudulent trips charged to the legitimate user’s payment card.
It all started in late March and, at the time, Motherboard’s Joseph Cox reported that they discovered Active Uber accounts being sold on a dark web marketplace for as little as $1 each.
At the time, Uber said that they have investigated the matter and found no evidence of a breach. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services,” they stated.
The company gave the same canned response to the most recent reports about hacked Uber accounts.
Most of the affected users tried to contact Uber support, with mixed results. Some have been reimbursed for the fraudulent charges or had them reversed, and some received a response from Uber saying: “It looks like someone has accessed your account illegitimately. We believe that your email account may have been hacked as access was gained to your account by sending a password reset link to your email.”
One of the affected passengers said that could not be. “My email has three-step verification and could not have been hacked. I found this very dishonest of Uber – it is NOT okay to tell people that their email account has been compromised when it hasn’t been,” she told White.
It’s, of course, possible that the company has been breached but that they haven’t found evidence of this, yet. Perhaps they inadvertently leaked a login key that has been misused to access its user databases – it has happened before.
It’s also possible that the login credentials have been compromised through a breach of another company’s databases – after all, many users have the deplorable habit of using the same username/password combination for a number of online accounts, as one of the affected customers confirmed.
Finally, it could be that the users themselves have falled for clever phishing attacks. Or, it could be a combination of some or all of these things.
Still, this is a good time for all users to check their Uber account, and change their password just in case. Needless to say, they should make it strong and unique.