Due to an apparent mistake, Uber left the personal information of what appears to be hundreds of drivers exposed online, including their Social Security numbers, scans of driver licenses, tax forms, and other data.
The data leak seems to be linked to the company’s new “Uber partner” app, designed to provide drivers with more data about the service, and the company more information about its drivers.
“I have hundreds of drivers licenses on my screen now,” said a member of the Uber People messaging board. “What a freaking mess. More identity fraud coming.”
“I have hundreds of drivers licenses on my screen now.”
An Uber driver, who asked Motherboard not to reveal his identity for fear of the company retaliating against him, found the bug while uploading a document.
When he refreshed the page, “it started loading hundreds, maybe thousands of other uploaded documents from other Uber drivers,” he said in a phone interview.
“When I looked closer, it might have been the database of Uber drivers that are taxicab drivers that have access to Uber. There were a lot of taxi certification forms and livery drivers licenses and W-9 forms with Social Security numbers for taxi cab companies,” he added.
A screenshot of the data leaked on Uber's website.
An Uber spokesperson confirmed the leak to Motherboard, and said that “as soon as we became aware we fixed the issue.”
According to message timestamps, the data appears to have been available for at least a few hours.
The Uber spokesperson released a statement a few minutes after this story was published.
“We were notified about a bug impacting a fraction of our US drivers earlier this afternoon. Within 30 minutes our security team had fixed the issue,“ an Uber spokesperson told Motherboard. “We’d like to thank the driver who drew it to our attention and apologize to those drivers whose information may have been affected. Their security is incredibly important to Uber and we will follow up with them directly.“
Uber said the data leak affected no more than 674 drivers in the US, which resulted in fewer than a thousand documents exposed. The data, according to Uber, was only visible for logged in drivers who went to their documents page.
The leak exposed data on no more than 674 drivers in the US, which resulted in fewer than a thousand documents exposed.
The driver who spoke to Motherboard reported the bug to Uber more than four hours ago, and said he was worried somebody could use it to commit fraud.
“I’m not about to go commit some Social Security fraud, but I don’t trust the other Uber drivers to not do that,” the anonymous driver added.
“That is no bueno man. [...] This info is worse than credit card information,” wrote another forum member. “This info can be used to create accounts and verify identities online.”
This new security mishap comes just days after Uber fixed a major vulnerability that allowed hackers to keep control of hacked Uber users’ accounts. In the last few months, scores of users all over the world have complained about getting fraudulent trips charged on their accounts. These frauds were due to users recycling passwords—which had been dumped online from the breaches of other services and sites—exacerbated by the fact that Uber wasn’t automatically logging all users out when the owner of the account changed the password.
In the case of this latest leak, however, it seems that the leak of personal and sensitive data is all Uber’s fault.
Additional reporting by Jason Koebler.
This story has been updated with new information and a statement from Uber.
Another screenshot of some data leaked on Uber's website.