It appears that real user data is being sold, but it's unclear where it came from.
Image: Andrew Caballero/Reynolds/AFP/Getty Images
Active Uber accounts are for sale on a dark web marketplace for as little as $1 each, Motherboard has learned.
One seller claims he has "thousands" of user logins for sale.
A username and password is all you need to access a user's trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user's card are viewable in a user's account.
Over on AlphaBay market, a recently launched dark web site, vendor Courvoisier has a listing for 'x1 UBER ACCOUNT - WORLDWIDE TAXI!' For the meager sum of $1, anyone can anonymously purchase an Uber username and password.
Another vendor, ThinkingForward, has a similar offer, but for $5. "I will guarantee that they are valid and live ONLY. Discounts on bulk purchases," ThinkingForward writes on his product listing.
"It's terrifying that this information is out there. [It's a] massive breach of privacy."
According to Courvoisier, once you've bought the login, it's a simple step to ordering a cab.
"Log in on the Uber mobile website on your phone and book a cab :)" he or she told me in a private message.
A representative for Uber said the company has found no evidence of a breach.
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers.
Motherboard reached out to one of the users whose email address and password was put up for sale: James Allan, sales director for OISG, a technology solutions company.
Allan confirmed that the username and password Motherboard had seen were correct, as well as the expiry date on his personal credit card. He doesn't actually use Uber anymore, and the last trip he booked was in December 2013.
"Bloody hell," Allan said over the phone, when he was told what his password was.
He was "extremely surprised" by the revelation, he said. Allan also said that he doesn't use the internet much for financial transactions, preferring cash "for this very reason."
It's unclear where the data came from or the scale of the breach
"Either someone at Uber has passed these details on for money, or they have very lax security," Allan said. "Criminal proceedings need to be processed, I'd expect. That's what I would like to happen."
The second account holder, who didn't want to have his name printed, was equally shocked.
"It's terrifying that this information is out there. [It's a] massive breach of privacy," he said.
A third account holder, whose login information appeared to be valid, did not immediately respond to phone calls or emails.
It's unclear where the data came from or the scale of the breach. These logins may indicate that Uber's security was hacked or compromised somehow, although the company says it has found no evidence of a breach. It also might mean that these customers were breached individually by other means, and their Uber credentials harvested and put up for sale. Motherboard did not receive a response from Uber to follow-up questions asking for clarification.
When Motherboard asked Courvoisier where the accounts he was selling came from, he replied, simply, "Hacked accounts buddy."
"I have thousands :)" he added.
In a statement, an Uber spokesperson said:
"We are looking into this and do not have any information to share at this time. We use state of the art technology to prevent, detect, and investigate fraud. It's important to note that attempting this type of fraud is illegal, and we take appropriate action when we confirm fraud, including notifying the proper authorities."
Update: Uber sent an updated statement after this story ran:
"We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
It's worth remembering that the sale of this data may have consequences beyond any single Uber account. If an individual uses the same email address and password to sign up for other services—eBay, for example—then typing in those details on different sites may also allow easy access.
Indeed, that's what Allan had done. "I did use the same password for Amazon only as I mentioned that I don't trust the use of financial details on the web," he said in a follow up email.
ThinkingForward had only sold a few accounts at the time of writing. The only bit of feedback left by a happy customer so far reads "quick and pro thanks mate."
Courvoisier, meanwhile, has apparently sold over 100 Uber usernames and passwords, and has received plenty of positive reviews.
"Work[s] perfect," was the feedback left by one customer; "speedy delivery" was from another.
This isn't the first time that Uber has had data leak in some form. As many as 50,000 of its drivers may have had personal details exposed. Uber said that in September 2014 one of the company databases "could potentially have been accessed by a third party," according to Slate, and Uber said that only the drivers' names and license plates could have been accessed in that breach. The twist is that Uber reportedly left the key for that database on a publicly accessible page on Github.
In another incident, Uber accidentally left part of its internal lost and found database—which included driver and customer names and some numbers—public on the open internet.
On the internet, it's possible to purchase all sorts of digital goods: credit card numbers, PayPal accounts, and now Uber logins, all for as little as a few dollars. This item is just the latest in the long history of buying stolen data with the click of a mouse.
Update: This story has been updated with a new response from Uber.
Editor's note: Our legal team asked us to advise you, dear reader, that buying stolen login info from the internet is illegal and you should definitely not do that, so don't.