At least two vendors in the dark net marketplace called AlphaBay say that they have thousands of Uber user logins for sale. Motherboard said it was able to verify that some of the accounts were still in use by Uber members and that, in one case, a previously hacked Amazon password was likely used to get into an Uber account because the passwords were the same.
A username and password is all you need to access a user’s trip history, which may include personal details such as name and home address. While full credit card information is not exposed, the last four digits and expiration date of the user’s card are viewable in a user’s account. This is all the information a dedicated criminal really needs to commit identity theft.
Not many internet users have heard of the deep Web. For most of us, our interaction with the internet is based on websites we are already aware of or data that we reach by using search engines, also known as the surface Web. But that is only the tip of the iceberg. Just below the surface lies a whole world of information that cannot be found via a quick search. No one really knows how expansive the deep Web really is, but it’s hundreds (or perhaps even thousands) of times bigger that the surface Web.
Not all information on the deep Web is hidden on purpose — oftentimes it’s a case of search engine technology simply being unable to locate certain websites. However, the dark net, a subset of the deep Web, is a place where data is purposefully shielded. Often, these parts of the internet are accessible only if you use special browser software, which maintains the privacy of both the source and destination of the data, and the people who access it. Naturally the anonymity of the dark net offers great power to entities conducting illegal business, which is why it makes sense that the providers of Uber passwords are hiding there.
Uber, however, denies that there has been any sort of security breach.
“We investigated and found no evidence of a breach,” said an Uber spokesperson in a statement. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
The implications of this incident go beyond Uber, whether it is a result of hacking or, as victim James Allan told Motherboard, an attempt by an Uber employee to make some extra cash on the side. Many individuals use the same passwords on multiple websites, meaning that they could be the victims of more extensive identity theft.
If you are an Uber customer this might be a good time to take steps to keep your password safe. Change your password as soon as possible, and choose a unique and complex phrase for the most security.