ArsTechnica has discovered that two vendors on a marketplace in the underground are offering active Uber credential.
During the weekend the vendors “Courvoisier” “ThinkingForward” are claiming to sell valid Uber logins respectively for $1 and 5$ each on the AlphaBay Market. The AlphaBay Market is a relatively new black marketplace, it was launched in late 2014.
“The credentials provided will be a valid login for the Uber website for which you can use to order phones from completely free. (You can find the guide in our store if you’re unaware on the how-to).” Wrote Courvoisier.
The vendor ThinkingForward, which is offering the Uber login for $5, guarantees that they are valid credentials.
“I will guarantee that they are valid and live ONLY. Discounts on bulk purchases,” ThinkingForward writes on his product listing.“It’s terrifying that this information is out there. [It’s a] massive breach of privacy.”
I have searched for the Uber credential in the Tor MarketPlace, it seems that the vendor has sold more that one hundred logins.
Ars have tried to contact the sellers without success, meanwhile Motherboard contacted once vendor that claimed to have “thousands” login for sale and was also open to a “try and buy” option. Motherboard also reached one of the Uber users impacted by the alleged data breach as reported below discovering that the login are original.
“Motherboard reached out to one of the users whose email address and password was put up for sale: James Allan, sales director for OISG, a technology solutions company.
Allan confirmed that the username and password Motherboard had seen were correct, as well as the expiry date on his personal credit card. He doesn’t actually use Uber anymore, and the last trip he booked was in December 2013.
“Bloody hell,” Allan said over the phone, when he was told what his password was.
He was “extremely surprised” by the revelation, he said. Allan also said that he doesn’t use the internet much for financial transactions, preferring cash “for this very reason.” states Motherboard.
Uber spokeswoman Trina Smith contacted Ars to confirm that the company did not find evidence of a data breach.
“Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report,” Smith wrote. “This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
In February the giant Uber announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers, anyway the news reported by Ars seems to be not linked to the previous incident according Uber.
Uber is currently investigating the origin of login, at the time I’m writing it is unclear where the data came from and how many users were impacted.
(Security Affairs – Uber, cybercrime)