Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Uber users are paying for fraudsters to take rides in China

25 Sep 2015 0 Data loss
Uber car. Image courtesy of mikedotta / Shutterstock.

Post navigation

Previous: Night-vision goggles to be used to thwart pirating of new Bond film
Next: What are you more afraid of – sharks or selfies?
by Lisa Vaas

Uber car. Image courtesy of mikedotta / Shutterstock.

Uber users this week have found themselves – or, at any rate, their accounts – magically whisked around the world to ride through the city streets of China.

Below are a few tweets from those who’ve found that Chinese fraudsters had used the hacked accounts to take free trips.

Kirby Bittner was one such:

@Uber I had a great ride in China this morning! Except, weird, I wasn't in China this morning. #UberAccountHacked pic.twitter.com/f25IOYFxr9

— Kirby Bittner (@kirbybitt) September 21, 2015

Valerie Bolanos was another:

@Uber_Support my account got hacked and used in China. What do I do?

— Valerie Bolanos (@churruquitaa) September 22, 2015

Jess suffered a similar fate:

I have emailed @Uber_Support to complain about a hack and a charge from China and no one has yet to follow up.

— Jess (@jmejia_08) September 23, 2015

The tweets were brought to Motherboard’s attention by a poster on the UberPeople.net forum – a Twitter user who goes by the handle Just Aguy and who describes himself as a professional Chicago cabbie.

As you might recall, it was Motherboard that, back in March 2015, found thousands of cracked Uber accounts selling for as little as $1 on the dark web – a price that tumbled to 40 cents in August, presumably after Uber started experimenting with multifactor authentication.

Those sales involved reportedly valid email/password logins for Uber accounts.

The root cause of the accounts being broken into appears to have been login reuse: i.e., the same email/password combination used on multiple online services.

Hackers can pick up stolen email/password combinations from data dumps that circulate on the dark web. They can then use an account-cracking program to cycle through all of the login credentials, trying each out in an attempt to log into Uber – or any other online account – in the hope that those credentials have been re-used.

It’s not even fair, really, to refer to this as “hacking,” given that it amounts to little more than an efficiently programmed manner of taking advantage of somebody else having cracked accounts and then dumped the logins online.

Uber has been guilty of plenty of missteps when it comes to handling data.

The latest misstep to add to the mix: earlier this month, data related to more than three dozen “shared” Uber trips were found to have leaked into Google search results, including exact address data, be it that of a home or work address.

Anybody could have accessed the cached data – which described trips in the US, UK, Russia, Indonesia, India and the Philippines that dated back as far as 2013 – by simply running a search on the string “trip.uber.com”.

But data missteps aside, the onus for avoiding password reuse lies squarely with users when it comes to picking a strong, unique password for their Uber accounts.

If you’ve used your Uber password elsewhere on the web, change it! Ditto for any other email/password combination used anywhere else

It amounts to following the simple rule of one site, one (unique, difficult to guess) password.

Image of Uber car courtesy of mikedotta / Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Home

Sophos Home

Protect personal PCs and Macs
Hitman Pro

Hitman Pro

Find and remove malware
Sophos Intercept X for Mobile

Intercept X for Mobile

Protect Android devices

Post navigation

Previous: Night-vision goggles to be used to thwart pirating of new Bond film
Next: What are you more afraid of – sharks or selfies?

What do you think? Cancel reply

Recommended reads

Nov16
by Paul Ducklin
9

Cult videogame company Capcom pays a big round $0.00 to ransomware crooks

Oct23
by Paul Ducklin
2

S3 Ep3: Cryptography, hacking and pwning Chrome [Podcast]

Nov24
by Paul Ducklin
4

Gift card hack exposed – you pay, they play

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress.com VIP