A London record-producer claims he has been billed for £3,000-worth of Uber rides he didn’t take, the Evening Standard reports. He’s just the latest in a growing number of people claiming their accounts with the ride-hailing service have been hacked, following a report that “thousands” of accounts are being sold online.
35-year-old Mike Crossley alleges that over the course of 10 days, someone took 142 Uber rides using his account — racking up a £3,000 bill. “Most of the time they were using the expensive luxury service to run up the bill,” he said. “They were quite random although there was an address in Westminster they went to more than once.”
Uber denies there’s been a breach — but has promised to refund Crossley.
Over the last week, there have been multiple cases of people alleging their Uber accounts have been hacked and taxis have been ordered by mystery intruders, charging the journeys to their cards.
Here’s a few examples of people complaining on Twitter:
These claims come after Motherboard’s Joseph Cox found that “thousands” of Uber passenger accounts were allegedly being sold on the deep web — a part of the Internet that can only be accessed by using anonymising software that disguises users’ identities. The accounts are going for between $US1 and $US5, and sellers are promising that they allow purchasers to use the original owners’ credit card details to order themselves rides for free.
Uber maintains its servers haven’t been hacked, telling us there is “no evidence of a breach”:
We take any issue of this nature very seriously and after investigating have found no evidence of a breach at Uber. Attempting to fraudulently access and use Uber accounts is illegal and we notify the authorities about such activity. We would like to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.
So if Uber’s telling the truth, what’s going on? One possibility is that the company hasn’t been hacked — but that it inadvertently leaked passenger information online. There’s no direct evidence for this theory, but something similar has happened before.
An Uber employee once accidentally uploaded an internal password to GitHub, a code-sharing site often used by developers. This was subsequently used by an unknown intruder to gain access to sensitive details about more than 50,000 Uber drivers, including names and licence plates. The company is now battling in the courts to find out who accessed the GitHub page containing the password.
It’s not outside the realms of possibility that a similar mistake by an employee resulted in the leak of user accounts. Or perhaps Uber has been hacked, and simply hasn’t realised yet (or doesn’t want to say). The company suggested to the Hill that hackers may have been able to figure out log-ins due to weak passwords or from user data revealed by hacks elsewhere.