Reports of Uber customers saying that they are being charged for rides that they did not take are beginning to surface in the United States (previous reports have been international).
In at least some cases, Uber is refunding the cost if people contact them.
Uber continues to claim that they cannot find any evidence of a breach.
The one customer quoted in the article says that the password that was used in her Uber apps was one she used elsewhere, so it is possible that another site where she used the same password was the problem.
It also appears (at least on my phone) that the app remains logged in – in fact I don’t SEE a logout button, but I not be looking in the right place – so if the phone is compromised, then that could be the source of the fraud.
The Uber userids are for sale on the black market (dark web) for as low as a dollar apiece.
Uber pointed out the obvious and said that selling (of other people’s) Uber userids is illegal. Point made. And they are going to tell the cops. Okay.
If we assume this problem originates in an Eastern European country, which seems likely, the police will not be able to do much about it.
So, if you are an Uber user, watch your credit card charges, do not use that password elsewhere, use a strong password (the person in the article did not say if her password was the most popular one – 1223456 – or something more secure) and generally use good mobile device security hygiene.
Sorry, no easy answers here.