Uber. Image courtesy of Evan Lorne/Shutterstock.
Naked Security Naked Security

Cracked Uber accounts tumble to 40 cents on the dark web

Dark web listings say they won't refund/replace if Uber asks for verification: a sign that Uber's experiments with strong verification requirements are paying off.

Uber. Image courtesy of Evan Lorne/Shutterstock.

Remember those cracked Uber accounts that were selling for as little as $1 on the dark web a few months ago?

Well, welcome to the Midsummer Madness Sale: prices have been slashed, and now, they’re going for the low, low price of only 40 cents!

I know what you’re thinking: With these prices, the dark-web markets selling other people’s accounts must be CRAZY!

(Actually, so are you if you actually buy these things. It’s illegal, and your purchase could buy you a world of trouble.)

Motherboard, which first picked up on the Uber account sale in March, now reports that the accounts are not only still being sold; now, valid email/password logins for Uber are selling for less than half of what they had been.

The news outlet found one such listing on the dark web market AlphaBay. Here’s what it said:

[High quality] uber accounts from random country's, all of them have [credit card information] attached 100%.

Dark-web customers reportedly have the option of buying accounts linked to either a credit card or PayPal.

With that account data in hand, buyers can then log into Uber and get a free ride, literally: they can take Uber trips that are then charged to someone else’s account.

Indeed, Uber customers in the UK and in the US have complained of fraudulent charges.

As of Friday morning when Motherboard reported the falling prices of cracked accounts, there were six vendors peddling Uber accounts on AlphaBay, and together they’d sold more than 6,100 accounts, according to an automatic tally on each item listing.

Motherboard points out that the total number of cracked accounts sold so far is likely higher than that, given that many vendors who had been selling Uber accounts don’t appear to be doing so at this point.

It’s not clear why the price has crashed, but a spokesperson told Motherboard that the company…

...made some changes to the app which have dramatically decreased the ability for criminals to fraudulently access accounts. This includes, but is not limited to, further account verification requirements.

Uber hasn’t revealed any more details on exactly what changes it has made, but whatever it did, it seems to be making it harder for crooks to use the stolen account information.

That assumption’s backed up by what a dark web vendor wrote on a listing for the cracked accounts:

I will not accept any refund/replace if uber asks about any verification.

Well, this is pleasant. After all, we don’t often find ourselves giving kudos to Uber for data privacy or security processes, given its shaky data history which has included admitting that one of its databases “could potentially have been accessed by a third party,” though it did note that only drivers’ names and license plates were made available.

As well, back in December we reported on how the firm gave a job applicant unlimited access to passenger data not only during his interview, but also for several hours afterwards as well.

Then too, later that same month, we also reported how an Uber executive had accessed BuzzFeed reporter Johana Bhuiyan’s data on two occasions because she was running late for a meeting and he was keen to know when she would arrive.

Then, in February of this year, an internal database was found to be accessible via the web for some 5 hours, allowing visitors to view a list of 155 lost and found items, as well as customer and driver names, phone numbers, internal ID numbers and ride information.

More recently still, we learned how the controversial taxi firm had entered the Big Data game, offering incentives to customers who choose to link their Uber accounts (and a whole heap of personal data) with Starwood Hotels & Resorts.

It’s always nice to see security buttoned up with stronger verification requirements, but in light of Uber’s spotty history, it’s, well, uber-nice.

While it’s gratifying to see Uber successfully battling the thieves who exploit cracked logins, the onus is still on users to pick a strong, unique password for their Uber account, as the Uber spokesperson reminded:

Uber has taken this issue very seriously and has refunded anyone who was affected. We would still like to remind our users to use a unique password for their Uber account.

If you’ve used your Uber password elsewhere on the web, change it!

As well, now might be a good time to think about using a password manager and to start using unique – as in, one password, one site – hard-to-guess, non-dictionary-word passwords for each account you own.

A password manager will cook up that type of passcode for you, as well as store all the (hopefully) impossible to remember strings so you don’t have to.

Image of Uber courtesy of Evan Lorne / Shutterstock.