Thousands of Uber accounts may have been compromised, and are up for sale. At least two vendors on “Dark Web” marketplace AlphaBay are selling active accounts, according to Motherboard. Once purchased, the accounts let buyers order rides using whatever payment information is stored on file. The accounts can show the user’s trip history, email addresses, phone numbers, and location information for home and work addresses.
Uber accounts on sale for $1
The sellers are offering the stolen accounts for between $1 and $5 each, which wouldn’t even pay for a mile in an Uber car in New York. However, the stolen logins can be used to order free rides until Uber, the payment companies or their owners realise. One of the two sellers the site Motherboard spoke to says they have already sold more than 100 accounts to buyers.
“We investigated and found no evidence of a breach”, said an Uber spokesperson. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services”.
It’s not yet clear how the sellers acquired the stolen account details, and if there might be other sellers using the same information, or whether it all comes from a related security breach. The news of the accounts on sale is just weeks after Uber said that 50,000 of its drivers had been accessed by a third-party in May last year. Uber said this breach did not affect user names, which suggests that it’s unrelated.
Do you use Uber? If so then please make sure that you keep an eye on your account activity, and change your user name and password frequently. The same goes for any Internet website or service that you use, especially if it’s linked to a credit card or other payment service.