News that hackers accessed the personal data of 57 million Uber accounts has consumers asking themselves a question that’s beginning to feel all too familiar: Am I vulnerable and how do I find out?
Unfortunately, finding the answer isn’t as easy as it was with other major hacks.
Uber, which paid hackers $100,000 to hide the 2016 breach from customers, is still seemingly playing defense. The company maintains that individual riders don’t need to take any action since Uber has “seen no evidence of fraud or misuse tied to the incident.” In a blog post discussing the incident, the company did not indicate that will contact customers whose accounts were compromised, which is the typical procedure in such breaches. Instead, Uber says it is monitoring affected accounts and has flagged them for additional fraud protection. (Fortune has reached out to Uber for comment and will update this post if the company responds.)
The thing is: It’s not that simple.
Even ‘mundane’ data breaches can be significant, since the personal information included in most accounts can be used to engineer everything from identity theft to phishing operations.
“Uber needs to force a password reset and warn affected users to be on the alert for fake notices from Uber requesting personal info from users, as hackers will do that,” says Hemu Nigam, founder of internet security consultancy SSP Blue and former VP of internet enforcement at the Motion Picture Association of America. “Users also need to be extra vigilant when getting steeply discounted deals during the holidays as hackers tend to sell stolen info to criminal spammers in the dark net.”
There’s also the reputational damage Uber now faces—which comes not long after co-founder Travis Kalanick resigned as the company’s chief executive after facing multiple controversies from sexual harassment allegations to legal disputes with rival firms and regulators.
According to Bloomberg, Uber’s breach occurred in 2016 when hackers noticed Uber developers had published code that included their usernames and passwords on a private account of the software repository Github. The hack and resulting coverup resulted in the ouster of chief security officer Joe Sullivan and another executive.
What to do if you think you were affected
Since Uber is apparently unwilling to let individual customers know whether they were affected by the breach at this point, it’s not a bad idea to assume you were. And, as a precaution, there are a few steps worth taking.
First, and stop us if you’ve heard this before, it’s time change your passwords—again. Don’t reuse old ones or ones you use on other sites. Try something new.
Once that’s done, check your accounts for fraudulent activity. Most Americans don’t keep close tabs on their checking and saving balance and don’t examine every item on their credit card bill—and hackers count on that. While Uber says outside forensic experts “have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” the fact that it took such efforts to cover up the hacks should make you skeptical.
Next, set up credit monitoring to ensure no one is using your personal information. It’s the lowest level of defense, but it’s better than nothing.
Finally, if you’ve been hacked recently or feel like your luck is running thin given all the recent incidents, consider a credit freeze, which prevents new credit from being issued without your direct permission.