Thousands of Uber users account credentials could have been compromised, and are up for sale from unscrupulous sellers. At least two separate vendors on dark web marketplace AlphaBay are hawking active Uber accounts, Motherboard reports. Once purchased, these accounts let buyers order up rides using whatever payment information is on file. Those accounts can also show trip history, email addresses, phone numbers, and location information for people's home and work addresses.
People's stolen Uber accounts cost less than a mile in an actual Uber
The sellers are offering up the accounts for $1 and $5 apiece, which incidentally won't even get you a mile in an Uber car in New York City. However those with these stolen logins could theoretically use them to order up free rides until Uber, payment companies, or their real owners realize what's happened. One of the two sellers Motherboard talked to says he or she has already sold more than 100 accounts to other buyers.
"We investigated and found no evidence of a breach," an Uber spokesperson told The Verge. "Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
It's currently unclear how these sellers acquired the account credentials, if there might be other sellers using the same information, or whether this stems from a security breach elsewhere. News of the accounts for sale comes just weeks after Uber disclosed that information about some 50,000 of its drivers had been accessed by a third-party last May. In its notice, Uber said the breach did not affect user names, suggesting this is unrelated.
Update March 27th, 10:39PM: with newer statement from Uber about its investigation, and again at 11:59PM to note that the company says it found no evidence of a breach occurring.