Some Uber users are reporting that they’re being charged for rides they didn’t take, according to Motherboard, which reported on Monday that anonymous third parties have been able to access certain Uber accounts.
Since credit cards are automatically linked to your Uber account, these intruders have been able to order rides without the account holder’s permission, according to the report.
“I got a notification on my phone from Uber saying ‘your taxi was on its way/it arrived’ etc., but thought it must be a glitch of the app,” one Uber customer told Motherboard.
Some customers say they have received no response from the company.
Others say they have been locked out of their Uber accounts after the person who hacked their account changed the email address or password associated with the account.
Other customers tell Motherboard they have been refunded by the company for the fraudulent rides.
An Uber spokesperson said the company found “no evidence of a breach” in the following statement to Business Insider:
We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.
This follows a previous report from Motherboard that said Uber credentials are being hawked on online marketplaces such as AlphaBay for as little as $US1 a pop. While the login credentials are available for purchase on this marketplace, credit card numbers are not listed on the accounts beyond the last four digits.
The dark web is a hot bed for such illegal transactions. Former dark web black markets such as Silk Road were known to offer goods like weapons and drugs. Now, following Silk Road’s demise, entrants like AlphaBay have percolated.
Motherboard says it obtained the usernames and passwords of a few accounts for sale and confirmed that the information was correct. It’s unclear how the website obtained these records.
“It’s terrifying that this information is out there,” one user whose information was for sale told Motherboard.