Uber customers suspect their accounts have been hacked

Many Uber customers are reporting unauthorized rides paid through their accounts, the company excludes a data breach, but suggested a password reset.

In March, media agencies reported that the popular Uber service was hacked by cyber criminals, security experts discovered al least two different vendors offering stolen Uber customer logins in a black market on the Dark Web.

Now, something strange is happening to some American Uber customers that have been targeted by hackers. According to the claims of some Uber clients someone had access to their accounts and used them. The customers did the nasty discovery when received notification of unauthorized rides.

“It was crazy,” Stephanie Crisco told the MotherBoard. “I used Uber for the first time Thursday night. On Friday morning I received a notification on my phone that my driver was en route. I didn’t request a driver. I clicked on the notification and it said that the ride was cancelled but the pickup was in London.”

The girl also posted online an image related to the Twitter timeline that includes a number of canceled Uber rides that was apparently requested by her account, anyway she confirmed that the payments were made through her bank account. Crisco confirmed that Uber has refunded her for three rides, but to avoid further problems she removed her bank card since discovering the fraudulent payments.

There are various plausible hypothesis behind this incident, for example, it is possible that some other services were compromised by hackers and that they used shared the same credential with the Uber platform. This could be for example the case of the user Crisco that confirmed that she used the same credentials among various web services, including Uber. However, she wasn’t alone in reporting Uber account problems. Many other users have posted on Twitter, saying that their Uber accounts have been hijacked by unknown individuals who took rides using their accounts.

Unfortunately, Crisco wasn’t the unique Uber customer to have a similar problem, other users have posted on Twitter claiming their Uber accounts have been hijacked, also in these cases the hackers paid rides using their accounts.

Uber confirmed to Motherboard that its experts haven’t found any evidence of a data breach.

“We do not have any additional information to share beyond the statement we provided before: We investigated and found no evidence of a breach,” an Uber spokesperson said. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

Waiting for more details of ongoing investigation, I strongly suggest Uber user to change their password, as also suggested by the company.

Pierluigi Paganini

(Security Affairs – Uber, hacking)