A username and password is all you need to access a user’s trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user’s card are viewable in a user’s account.
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers. […]
“Work[s] perfect,” was the feedback left by one customer; “speedy delivery” was from another. […]
It’s unclear where the data came from or the scale of the breach. These logins may indicate that Uber’s security was hacked or compromised somehow, although the company says it has found no evidence of a breach. […]
This isn’t the first time that Uber has had data leak in some form. As many as 50,000 of its drivers may have had personal details exposed. Uber said that in September 2014 one of the company databases “could potentially have been accessed by a third party,” according to Slate, and Uber said that only the drivers’ names and license plates could have been accessed in that breach. The twist is that Uber reportedly left the key for that database on a publicly accessible page on Github.
In another incident, Uber accidentally left part of its internal lost and found database — which included driver and customer names and some numbers — public on the open internet.
- Used to be the Free Market took care of this sort of thing…wait! looking around Kansas City, it already has. ↩
- Even though Uber denies the breach originated with them from them (all their fingers and legs crossed in the idiotic hope we’ll believe a street bum just found the relevant UID/PWD combos pairs by breaching another wide-open site), that’s a fucking man-in-the-middle too far, n’est-ce pas? More likely is an insider, the prototypical disgruntled employee who either outright stole (or allowed to be stolen, e.g. Sony) the data. Or…it could be something as stupid as a MITM SSL proxy, whereby everything is plain texted. Either way…it came from Uber ↩