A few months ago, it was reported that Uber accounts were on sale on the black market for as little as $1 per account. At the time, the breach appeared to only have affected victims based in the United Kingdom. Now, Uber customers throughout the United States have reported their Uber accounts have been hacked and abused to make several fraudulent charges the customers did not initiate.
Uber, the crowd sourced taxi-service has been experiencing serious security issues for the past few months, but seem to have no information on such issues. A number of Uber users throughout the world have taken to Twitter, enraged that their Uber account has been abused to make charges for pickups all around the world, some costing upwards of a few hundred dollars.
One Uber user told Motherboard Vice that she had registered her Uber account on Thursday, and by Friday morning her Uber account had been hacked to make a fraudulent pickup in London. What is particularly chilling is this customer was located in North Carolina, meaning the breach could be wide scoped.
Stephanie Crisco, one of the many Uber victims affected, posted a screenshot of the Uber pickups her account had ordered, where three charges can be seen as canceled. Crisco is in the midst of canceling her bank card while Uber has successfully refunded her £83.47 (roughly $126) due to the multiple transactions.
Crisco noted the credentials she had used on her Uber account were the same she had used for another online service.
Another victim speaking on the apparent Uber hack said someone outside of the United States had hijacked his account, changing the account name, email and phone number. However, since he was logged in on his phone he was able to re-gain access to the account by changing the credentials back. This particular victim did not have any fraudulent charges made towards his account.
Several other victims tweeted out, one victim noting a $70 charge had been made on her account. While another was outraged that over $200 in fraudulent charges had been made on her account and noted Uber didn’t care to respond in a timely manner.
The authenticity of the hacks cannot be confirmed as Uber continues to deny breach accusations, but there is irresistible evidence suggesting something more is happening. One underground vendor even claimed they had thousands of hacked Uber accounts to sell.
It is unclear how the Uber accounts may have been hacked. Criminals may have swept up users password credentials from a previous breach and have been testing to see if customer credentials match up elsewhere. Or there is a leak in Uber and thousands of accounts are continuing to be hacked.
However, this is not the first time Uber has had to deal with a hack, just two months ago the company had confirmed that a number of account credentials had been accessed by a third party.
When contacted on the breach, an Uber spokesperson said: “We do not have any additional information to share beyond the statement we provided before: We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.