Sophos Cloud Optix
Uber users this week have found themselves – or, at any rate, their accounts – magically whisked around the world to ride through the city streets of China.
Below are a few tweets from those who’ve found that Chinese fraudsters had used the hacked accounts to take free trips.
Kirby Bittner was one such:
@Uber I had a great ride in China this morning! Except, weird, I wasn't in China this morning. #UberAccountHacked pic.twitter.com/f25IOYFxr9
— Kirby Bittner (@kirbybitt) September 21, 2015
Valerie Bolanos was another:
@Uber_Support my account got hacked and used in China. What do I do?
— Valerie Bolanos (@churruquitaa) September 22, 2015
Jess suffered a similar fate:
I have emailed @Uber_Support to complain about a hack and a charge from China and no one has yet to follow up.
— Jess (@jmejia_08) September 23, 2015
The tweets were brought to Motherboard’s attention by a poster on the UberPeople.net forum – a Twitter user who goes by the handle Just Aguy and who describes himself as a professional Chicago cabbie.
As you might recall, it was Motherboard that, back in March 2015, found thousands of cracked Uber accounts selling for as little as $1 on the dark web – a price that tumbled to 40 cents in August, presumably after Uber started experimenting with multifactor authentication.
Those sales involved reportedly valid email/password logins for Uber accounts.
The root cause of the accounts being broken into appears to have been login reuse: i.e., the same email/password combination used on multiple online services.
Hackers can pick up stolen email/password combinations from data dumps that circulate on the dark web. They can then use an account-cracking program to cycle through all of the login credentials, trying each out in an attempt to log into Uber – or any other online account – in the hope that those credentials have been re-used.
It’s not even fair, really, to refer to this as “hacking,” given that it amounts to little more than an efficiently programmed manner of taking advantage of somebody else having cracked accounts and then dumped the logins online.
Uber has been guilty of plenty of missteps when it comes to handling data.
The latest misstep to add to the mix: earlier this month, data related to more than three dozen “shared” Uber trips were found to have leaked into Google search results, including exact address data, be it that of a home or work address.
Anybody could have accessed the cached data – which described trips in the US, UK, Russia, Indonesia, India and the Philippines that dated back as far as 2013 – by simply running a search on the string “trip.uber.com”.
But data missteps aside, the onus for avoiding password reuse lies squarely with users when it comes to picking a strong, unique password for their Uber accounts.
If you’ve used your Uber password elsewhere on the web, change it! Ditto for any other email/password combination used anywhere else
It amounts to following the simple rule of one site, one (unique, difficult to guess) password.
Image of Uber car courtesy of mikedotta / Shutterstock.