Anyone with a spare dollar can buy access to stolen, active Uber account information. Vendors on the new darknet market AlphaBay are peddling Uber user details.
You can buy all sorts of illicit stuff through darknet markets, from drugs to weapons to counterfeit goods. But this is the first time we've seen a high-profile sale of Uber account info, enabling people who pay for the stolen details to log in to Uber and take rides using someone else's account.
Motherboard's Joseph Cox dug around and contacted some of the people whose accounts leaked, confirming that at least some of the accounts are legit:
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers.
Looking at the feedback, it's clear that people like what they're getting. It's all positive, with remarks like speedy delivery and work perfect.
Courvoisier told Cox they have thousands of passwords, but oddly enough, Uber has stated that there has been no data breach:
"We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
So that's weird. It's not clear how the vendors gained access to so many Uber account details without hacking Uber. They could've hacked the Uber users individually.
[Requisite part of the blog where I tell you guys not to actually buy stolen Uber account information, don't do that, it's very rude.]
Uber users have had to deal with leaked information before; over 50,000 drivers had their account details exposed last year thanks to a security screw-up. This time, it's not clear who screwed up — but some users are screwed. [Motherboard]
Screenshot via Kate Knibbs