According to Motherboard, thousands of Uber accounts have been put up for sale on the dark web, with active login credentials changing hands for as little as $1 a time.
Over the weekend, vendors using the names “Courvoisier” and “ThinkingForward” were seen to be selling what they claimed to be valid Uber logins for $1 and $5 respectively on the AlphaBay market, a new dark net trading site that launched at the end of 2014.
Courvoisier who, according to The Register, has sold 144 accounts since March 18, and more than 3000 in total, also offers an optional $1.87 guide on how customers can avoid getting caught when using the stolen accounts.
ThinkingForward says he’s offering Uber credentials at the significantly higher price of $5 a pop, but notes:
I will guarantee that they are valid and live ONLY. Discounts on bulk purchase.
As part of its investigation, Motherboard acquired a selection of names and other account details which it used to contact some users, confirming with two of them that the data was indeed valid.
It’s not currently clear how the account details found their way onto the AlphaBay marketplace, or whether other vendors are selling the same information, nor is it known whether this is a result of a breach elsewhere. But Uber itself is adamant there has been no breach at its end:
We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report.
Uber, you likely recall, has had what some may call a checkered history where customer and employee data is concerned.
Back in September 2014 the company admitted that one of its databases “could potentially have been accessed by a third party,” though it did note that only drivers’ names and license plates were made available.
In December 2014, we reported on how the firm gave a job applicant unlimited access to passenger data not only during his interview, but also for several hours afterwards as well.
Later that same month we also reported how an Uber executive had accessed BuzzFeed reporter Johana Bhuiyan’s data on two occasions because she was running late for a meeting and he was keen to know when she would arrive.
Then, in February of this year, an internal database was found to be accessible via the web for some 5 hours, allowing visitors to view a list of 155 lost and found items, as well as customer and driver names, phone numbers, internal ID numbers and ride information.
And only last week we learned how the controversial taxi firm had entered the Big Data game, offering incentives to customers who choose to link their Uber accounts (and a whole heap of personal data) with Starwood Hotels & Resorts.
It’s not clear that any of those incidents are related to the current sale of login credentials, but we definitely agree with Uber’s warning about reusing the same usernames and passwords for more than one account:
This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.
If you have an Uber account, make sure you change your password as quickly as possible and, if you have used that same password elsewhere on the web, now is a good time to grab a password manager and start using different, hard-to-guess, non-dictionary-word passwords for each account you own:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
And remember, don’t buy stolen data from the internet – not only is it not cool, it’s also illegal and likely to get you into a whole pile of trouble.