It's more than a week now since the first media reports indicating that Uber customers from all across America have been complaining of rides being fraudulently charged to their accounts – including, among others, a North Carolina woman who couldn't possibly have taken Uber rides through various neighborhoods in London, England.
And it's been a month and a half since Vice magazine's Motherboard blog first discovered that Uber accounts belonging primarily to users in the U.K. were being sold for as little as $1 apiece on a cybercriminals' “dark web” forum.
In both instances, Uber said it investigated and found no evidence of any security breaches. Indeed, when complaints from American users started flooding social media in early May, Uber suggested the problem might be with individual Uber users who'd broken the online safety rule against using the same password for multiple accounts, and said “This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
To be fair, Uber has been refunding at least some of the hacked customers' accounts. Just today, for example, a user took to Twitter to complain “hacked #uber account. i'm not even in the UK! had to manually cancel dozens of requests @Uber #uberhacked #fraud”
She also directed the tweet to the @UberUKSupport account, which almost immediately responded by saying “Thanks Lisa – we see your email, and we're securing your account now and refunding this.”
On the other hand, another Twitterer complained on May 1 that “@Uber wish there was a way to contact you guys.... No phone number and no one responds to my email. Very frustrating,” and “@Uber account has been hacked and charged almost $200. Uber has no sense of urgency when fraud has been committed. Still no email!!” As of May 8, no responses from Uber are visible on that public Twitter feed.
"An ongoing matter"
This week, ConsumerAffairs heard from a London driver who says he used to work under Uber's platform. “The hacking and illegal usage of Uber customers details was and is an ongoing matter for some time,” he said via email. “Uber has done nothing to overcome the problem.”
Instead, he claims, Uber will “repeatedly try pass[ing] the blame onto others when its uber systems that fail to protect customer account details.”
And what does that mean?
“Either the passenger is told someone they knew used their password to login and use the services, or the blame goes on to the driver who gets deactivated for accepting fraudulent rides. In some situations, drivers are aware of the matter and continue to work with fraudsters; in others, drivers can not possibly know the ride is fraudulent. Bottom line is Uber is at fault fully for these kind of transactions taking place.”
We contacted Uber seeking comment on the “hacking” allegations in general, and specifically about the driver's claim that Uber drivers who transport fraudulent passengers are “deactivated” even if they did not know the ride was fraudulent, but as of press time Uber had not responded to our request.