UPDATE: An Uber spokesperson responds, "We do not have any additional information to share beyond the statement we provided before: We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
Back in March, Motherboard revealed that fully functioning Uber accounts were for sale on the dark web for as cheap as $1 each. At the time, it appeared that the victims of those hacks were based in the United Kingdom. Now, Uber customers from all over the United States have taken to Twitter to complain that their account has been charged for trips they never took, sometimes half way across the world.
“It was crazy,” one apparent victim, Stephanie Crisco from North Carolina, told me over Twitter direct message. “I used Uber for the first time Thursday night. On Friday morning I received a notification on my phone that my driver was en route. I didn’t request a driver. I clicked on the notification and it said that the ride was cancelled but the pickup was in London.”
Crisco also tweeted a picture of the trips she claims she didn’t make. While many of the trips in the screenshot were cancelled, one of them in London was indeed successful, and Crisco told me that three charges were made against her account in total. Crisco has since cancelled her bank card, and Uber have refunded her for the three charges, which range between $40 and $120 each.
Crisco told me that the credentials she used for Uber were the same as the ones she had used on other services.
“Someone outside of the US logged in, changed the name, email & phone number on my account,” Chris Willis, another apparent hack victim, told me in a direct message on Twitter. Willis is based in Boston, and because he was already logged in on his phone, he says, he was able to see the changes and re-take control of the account before anyone took a fraudulent trip at this expense.
Others were not so fortunate. Twitter user Nay complained, “I have $70 with [sic] of charges on my card that I did not authorize!!! I need someone to contact my [sic] asap before I sue!” She appears to based in the United States, although she didn’t immediately respond to requests for confirmation.
Allison Martin meanwhile tweeted that her “account has been hacked and charged almost $200. Uber has no sense of urgency when fraud has been committed. Still no email!!”
Another user, Tonya Andrews, was also apparently hacked and appears to be based in Philadelphia.
Uber didn’t immediately respond to a request for comment. In a previous statement a representative said, "We have no further details at this point—this is now in the hands of the authorities. I want to stress—we conducted a thorough investigation of this report and found no evidence of a breach on Uber systems. If customers experience charges on their account, they should contact customer support as soon as possible at: help.uber.com. Also, as a reminder—this is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
Motherboard cannot confirm whether these hacks were the result of the sale of Uber accounts on the dark web, but during earlier reporting, one vendor of the accounts claimed to have “thousands” to sell. It's also unclear how the accounts were breached in the first place. In any case, it appears Uber has a security problem that is only getting worse, and the company has yet to make any sort of official announcement about it.