Hackers Selling Uber Credentials on Underground Market

Uber user credentials are on sale on underground hacking forums, but the alternative taxi company says it has found no evidence of a breach of its systems.

The alternative taxi service Uber denies insinuations that its systems were breached following reports claiming that underground forums are offering Uber user-credentials for as little as $1.

First reported by Vice Magazine’s Motherboard spinoff, the information for sale also includes names, the last four digits of affected users’ credit card numbers and telephone numbers. Motherboard says it reached out to a number of the customers whose records it obtained and can confirm that at least some of the accounts are active.

Uber denies attackers acquired user account information through a network breach. It’s entirely possible that the usernames and passwords are shared, and that the attackers managed to infer Uber logins from credentials pilfered in a breach of a separate online service.

Problematically, as Motherboard notes, partial payment information, and names, usernames, passwords and telephone numbers are not the only information at risk here. Many Uber users store their home and work addresses, and the Uber app stores user trip history by default, meaning that anyone with access to a stolen Uber account also has access to the record of every trip taken by the legitimate user. In addition to that, the purchaser of one of these stolen Uber accounts could obviously use the account to log free rides.

Motherboard also reached out to one of the Uber account information sellers. The seller, operating under the handle “Courvoisier,” claims he has access to thousands of hacked accounts. Threatpost is not able to independently verify this claim. However, one of the users contacted by Motherboard explained that he had used the same password for his uber and Amazon accounts, lending credence to the possibility that the compromised Uber accounts may have been shared.

“We investigated and found no evidence of a breach,” an Uber spokesperson told Threatpost via email. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

Uber did suffer a breach recently, though the company claims that that breach only affected driver information. A spokesperson told Threatpost that the two incidents are not related.

Suggested articles