Uber suspected user information leaked, online black market low price sale

According to Science and technology website Motherboard said, many effective Uber account information is openly put on the online black market for sale, each account price is only 1 U.S. dollars.

One seller said he had thousands of Uber account information.

The user's travel record can be accessed as long as the username and password are obtained, including personal details such as home address. Although it is not possible to get all of the user's credit card information through these username and password, you can see the last 4 digits of the user's credit card number and the expiration date of the credit card.

On the recently emerging black market Alphabay, a seller named Coissier Courvoisier a series of "X1 Uber account-Global taxis!" "Goods. As long as it costs 1 dollars, anyone can buy a username and password for an Uber account anonymously.

Another seller, named "Thinkingforward", also assumed a similar product, but asked for $5 for each Uber account. "I guarantee that these accounts are effective and active," Thinkingforward wrote in the product introduction. If you buy a large quantity, you can also enjoy a discount. ”

Once you buy a Uber account, it's easy to call a car, according to Coissier.

He wrote in letters: "Log on to the Uber mobile site on the phone to call the car." ”

Uber company representatives said the company has not found signs of hacking.

Motherboard got several sample accounts and verified that at least some of the accounts were active. The data in the account includes the customer's name, username, password, part number and phone number of the credit card.

Motherboard tried to contact one of the users, and his email address and password were put on the black market website for sale. This user is James Allen James Allan, Sales Director of Technology Solutions OISG.

Allen confirmed that Motherboard saw the username and password and the validity information of his personal credit card was correct. He has not used Uber, and he recently called the car through the Uber service is December 2013.

After hearing his password on the phone, Allen's immediate reaction was: "My mother!" He said he was surprised to hear that his account information was being sold on a black market website. Allen also says he rarely makes financial transactions on the Internet, and prefers to trade in cash.

"Either someone inside the Uber has sold the privacy information or their security measures have been lax," Allen said. I think it's going to start the criminal prosecution, and I want to see something like this happen. ”

Another Uber user, who declined to be named, was shocked. He said: "This information has been leaked out, this is terrible, this is entirely a mass disclosure of privacy information accident." ”

It is not clear where the data came from or how big the leaks were. Although Uber says it has not found any signs of hacking, the login data for these accounts may prove that Uber's security system must have been compromised by hackers. This may also mean that these users were hacked by other means by hackers, who obtained their certificates and put them on the internet for sale.

When Motherboard asked where Coisietta's account was obtained, his answer was short: "Black." ”

"I have thousands of Uber accounts," he added. ”

"We are investigating the matter and there is no comment," a spokesman for the Uber said in a statement. We use the latest technology to deter, detect and investigate fraudulent practices. It should be noted that attempts to engage in this form of fraud are also illegal and that, once proven to be true, we will take appropriate measures, including informing the relevant government authorities of their involvement. ”

After the article was published, Uber issued an updated statement: "We have conducted an investigation and found no evidence of the invasion." Attempts to fraudulently access or sell accounts are illegal, and we have notified the authorities concerned. This is a good opportunity to remind people to use a higher security username and password, and not to reuse the same certificate on multiple sites and services. ”

It is worth remembering that the sale of these data will result in many undesirable consequences, and it affects more than just one Uber account. If someone uses the same email and password to sign up for other services such as ebay, a smart hacker might even steal the account information that the user has on other services.

In fact, that's what Alan did. "I used to use the same password on Amazon," he said. As I said earlier, I don't believe in the security of using financial details on the web. ”

As of this article, Thingkingforward only sold a small number of accounts. Only one by one comments were left by a delighted customer.

At the same time, Coissier sold more than 100 Uber account information, and received a lot of praise.

The comments from the customer above are: "Available, perfect." "The comments left by another user are:" Quick delivery. ”

This is not the first time Uber suffered a data leakage accident. Detailed personal information about 50,000 drivers has now been leaked. In September 2014, Uber said, one of the company's databases might have been accessed by a third party. But in the invasion, only the driver's name and license was stolen.

The point of contention now is that Uber is said to have dropped the key to the user data database on a page that anyone on the GitHub site can publicly access.

In another incident, Uber accidentally disclosed part of its internal lost and found database to the open Internet.

On the Internet, people are likely to buy a variety of digital goods, such as credit card number, PayPal account and Uber account login information, and these digital goods are not expensive shouting price, the unit price of about a few dollars. This is the latest model for easy buying of stolen data.