Uber login credentials are apparently being sold on the dark web, reports Vice’s Motherboard.
The information is being advertised for sale on the black market AlphaBay, a website that can only be accessed through the Tor browser, an anonymity-preserving network used by political dissidents, privacy-minded Internet users and criminals.
One person using the alias “Courvoisier” claims to have “thousands” of “hacked accounts” for sale, each for as little as $1. Another, “ThinkingForward,” is offering individual account logins for $5 each.
“I will guarantee that they are valid and live ONLY,” ThinkForward wrote on the site. “Discounts on bulk purchases.”
Engaging in a bit of investigative reporting, Motherboard contributor Joseph Cox wrote:
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers.
Those credentials can then easily be applied to retrieve a user’s trip history, discover other information like a user’s street address, or to fraudulently order a ride from the popular car service. It’s not yet clear how the credentials were stolen —whether hacked, leaked, snatched through a compromised third-party (use distinct passwords for your accounts, readers!) or some other means.
An Uber spokesperson, however, denied that the compromised accounts were the result of a breach at the company. A spokesperson provided the following statement to Fortune:
“We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
Motherboard contacted three victims to validate the black marketeers claims. One man—James Allan, sales director for OISG, an IT services company—seems to have confirmed the authenticity of the allegedly stolen data, Motherboard reports.
“Bloody hell,” Allan said over the phone, when he was told what his password was.
He was “extremely surprised” by the revelation, he said. Allan also said that he doesn’t use the Internet much for financial transactions, preferring cash “for this very reason.”
Another remained anonymous but “was equally shocked,” according to Motherboard. (Although Motherboard did not reveal whether or not the login credentials worked, the person’s comment—“It’s terrifying that this information is out there. [It’s a] massive breach of privacy”—seems to suggest so.)
The third account holder contacted by the site did not immediately respond to requests for confirmation or comment, reports Motherboard.
The Uber spokesperson further maintained that the pilfered credentials have nothing to do with a data breach disclosed by the company last year, which involved driver names and driver’s license numbers.
News of the stolen login information comes as Uber has rolled out a series of initiatives to make riders feel safer—physically.