American Uber users beware: Customers from all over the country are complaining that their Uber accounts were charged for trips they never took – in many instances, charged for trips they couldn't possibly have taken – which strongly suggests that those Uber accounts were hacked.
On the other hand, representatives for Uber say they investigated and found no signs indicating a security breach – and added, “This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
Here's what we know: Back in March, Vice magazine's Motherboard tech blog discovered that stolen Uber accounts – primarily accounts belonging to users in the U.K. – were being sold for as little as $1 apiece on a cybercriminals' “dark web” forum.
At the time, Uber said it had not found any evidence of a security breach — and even Motherboard admitted that “It’s unclear where the data came from or the scale of the breach. These logins may indicate that Uber’s security was hacked or compromised somehow, although the company says it has found no evidence of a breach. It also might mean that these customers were breached individually by other means, and their Uber credentials harvested and put up for sale.”
One of the British victims of the March hacking suggested a third possibility: “Bloody hell …. Either someone at Uber has passed these details on for money, or they have very lax security.”
Then, late last week, Motherboard reported a fresh spate of recent Uber false-charge complaints, this time from American customers. One of them, a North Carolina resident named Stephanie Crisco, told Motherboard: “I used Uber for the first time Thursday night. On Friday morning I received a notification on my phone that my driver was en route. I didn’t request a driver. I clicked on the notification and it said that the ride was cancelled but the pickup was in London.”
Crisco also tweeted a screenshot of her account activity showing various rides in London.
Other Uber users on Twitter posted similar complaints.
@Uber I have $70 with of charges on my card that I did not authorize!!! I need someone to contact m[e] asap before I sue!
@Uber wish there was a way to contact you guys.... No phone number and no one responds to my email. Very frustrating.
@Uber account has been hacked and charged almost $200. Uber has no sense of urgency when fraud has been committed. Still no email!!
Clearly something's going on, with at least some Uber accounts, though so far it's too early to know exactly what. But there are three main possibilities (assuming all sides are telling the truth to the best of their knowledge):
- hackers did manage to breach Uber security, though Uber hasn't yet discovered it;
- someone breached Uber security from the inside; and
- hackers managed to steal people's passwords from various other sites, and some of those people used the same passwords for their Uber accounts.
Possibility three is the justification behind the all-purpose online security rule “Never use the same password across multiple accounts.” Last October, for example, after millions of Dropbox users claimed their accounts were hacked, a brief investigation showed that Dropbox itself was never hacked -- though many individual Dropbox user accounts were, after hackers stole people's credentials from other sites and then discovered that some of their victims used the same password for Dropbox.
The same thing happened with the “Stubhub hacking” in July 2014, and the “Gmail hacking” that September -- turned out neither Stubhub nor Gmail were actually hacked, but hackers were able to fraudulently gain access to various individual accounts after using passwords stolen from other sources.
So if you use the same password for more than one account you need to change the “duplicate” passwords at one, whether you use Uber or not. But if you are on Uber, keep an extra-sharp eye on your account activity — and if you see any fake ride charges, contact Uber to dispute them right away.