Uber Accounts For Sale On The Dark Web?

Stolen Uber customer accounts are being sold on the dark Internet by the thousands for as little as $1 each, online magazine Motherboard reported on Friday (March 27).

The Uber account data reportedly being sold includes usernames and passwords, customer names, telephone numbers and partial credit card data — last four digits and expiration date. Several sample accounts checked by Motherboard were confirmed to be active, the magazine said.

Uber said it had investigated the report and found no evidence of a breach, but notified authorities.

While the last-four-digits data wouldn’t be enough for a buyer to use the payment card number outside of Uber, it’s sufficient to book an Uber ride that would be charged to the card. One U.K. Uber customer whose account details were allegedly sold said two fares totaling £376.15 ($556.50) were charged to him through his Uber account in mid-March, and that his password and the account’s email address were changed so he could not regain control of the account.

Motherboard said the scale of the breach was unclear, nor was it possible to determine whether the user name/password pairs had been stolen from Uber directly or if they could have come from a breach of a different company but had been reused by customers.

Uber denied that the breach was on its end. “We investigated and found no evidence of a breach,” an Uber spokesperson said. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

Last month, Uber said that as many as 50,000 of its drivers may have been affected after an internal Uber database was apparently breached by a third party in May 2014. In that incident, Uber did not discover the breach until September 2014, according to a company blog post by Uber managing counsel of data privacy Katherine Tassi on Feb. 27. The data accessed included the drivers’ names and driver’s license numbers, Tassi wrote.