Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Uber users are paying for fraudsters to take rides in China

25 Sep 2015 0 Data loss
Uber car. Image courtesy of mikedotta / Shutterstock.

Post navigation

Previous: Night-vision goggles to be used to thwart pirating of new Bond film
Next: What are you more afraid of – sharks or selfies?
by Lisa Vaas

Uber car. Image courtesy of mikedotta / Shutterstock.

Uber users this week have found themselves – or, at any rate, their accounts – magically whisked around the world to ride through the city streets of China.

Below are a few tweets from those who’ve found that Chinese fraudsters had used the hacked accounts to take free trips.

Kirby Bittner was one such:

@Uber I had a great ride in China this morning! Except, weird, I wasn't in China this morning. #UberAccountHacked pic.twitter.com/f25IOYFxr9

— Kirby Bittner (@kirbybitt) September 21, 2015

Valerie Bolanos was another:

@Uber_Support my account got hacked and used in China. What do I do?

— Valerie Bolanos (@churruquitaa) September 22, 2015

Jess suffered a similar fate:

I have emailed @Uber_Support to complain about a hack and a charge from China and no one has yet to follow up.

— Jess (@jmejia_08) September 23, 2015

The tweets were brought to Motherboard’s attention by a poster on the UberPeople.net forum – a Twitter user who goes by the handle Just Aguy and who describes himself as a professional Chicago cabbie.

As you might recall, it was Motherboard that, back in March 2015, found thousands of cracked Uber accounts selling for as little as $1 on the dark web – a price that tumbled to 40 cents in August, presumably after Uber started experimenting with multifactor authentication.

Those sales involved reportedly valid email/password logins for Uber accounts.

The root cause of the accounts being broken into appears to have been login reuse: i.e., the same email/password combination used on multiple online services.

Hackers can pick up stolen email/password combinations from data dumps that circulate on the dark web. They can then use an account-cracking program to cycle through all of the login credentials, trying each out in an attempt to log into Uber – or any other online account – in the hope that those credentials have been re-used.

It’s not even fair, really, to refer to this as “hacking,” given that it amounts to little more than an efficiently programmed manner of taking advantage of somebody else having cracked accounts and then dumped the logins online.

Uber has been guilty of plenty of missteps when it comes to handling data.

The latest misstep to add to the mix: earlier this month, data related to more than three dozen “shared” Uber trips were found to have leaked into Google search results, including exact address data, be it that of a home or work address.

Anybody could have accessed the cached data – which described trips in the US, UK, Russia, Indonesia, India and the Philippines that dated back as far as 2013 – by simply running a search on the string “trip.uber.com”.

But data missteps aside, the onus for avoiding password reuse lies squarely with users when it comes to picking a strong, unique password for their Uber accounts.

If you’ve used your Uber password elsewhere on the web, change it! Ditto for any other email/password combination used anywhere else

It amounts to following the simple rule of one site, one (unique, difficult to guess) password.

Image of Uber car courtesy of mikedotta / Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Night-vision goggles to be used to thwart pirating of new Bond film
Next: What are you more afraid of – sharks or selfies?

What do you think? Cancel reply

Recommended reads

Dec29
by Paul Ducklin
0

S3 Ep115: True crime stories – A day in the life of a cybercrime fighter [Audio + Text]

Dec06
by Naked Security writer
1

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

Jan05
by Paul Ducklin
12

S3 Ep116: Last straw for LastPass? Is crypto doomed? [Audio + Text]

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP