It has been over a week since Motherboard revealed that active Uber accounts are for sale on the dark web. Since then, a wave of customers have complained of fraudulent trips being charged to their credit cards, even as recently as today.
In an attempt to discover the root of the problem, Motherboard has received a guide on how to use these accounts.
The step by step tutorial is sold by Courvoisier, one of the vendors who originally advertised the hacked Uber accounts.
"The target audience for this guide is those who are inexperienced with how to use the Uber accounts which are provided in our store," the guide begins. "Follow these simple steps and you'll be travelling in no time :)."
He or she instructs users to log into their purchased account through their mobile phone's browser, rather than the app. Courvoisier also suggests that you memorise the name of the owner of the hacked account, in case the Uber driver asks for it.
Courvoisier points out it is possible to order a cab even when the location services function of your phone is switched off. "If your location services are NOT enabled, then you should enter your pickup location (postal / zip code or address) and then proceed to book your car," Courvoisier writes.
One seller has even advertised a pack of 10,000 emails
But in sum, it really is as simple as logging in and booking the cab. "Once your Uber is booked, simply wait for the car to arrive and enjoy your pennyless journey :)."
When Motherboardfirst reported on the hacked accounts, two vendors were selling them: Courvoisier and ThinkingForward. Courvoisier is now charging $1.85, while ThinkingFoward has introduced a "buy 1 get 1 free" scheme on his $5 accounts. A third vendor, "stackcash," is now also selling accounts for $2 each.
But it appears that even more people are selling them, with some doing so in bulk.
"Manzer" is selling hacked Uber accounts in quantities of 20 for $16.50, 50 for $32, or 100 for $54.
"nucleoide," meanwhile, has created a custom listing for "10,000 Uber Users email" to be sold at once. A custom listing is made specifically for a particular user's order. Presumably the user it is addressed to, in this case someone who calls himself "Jhodes", asked for a pack of accounts this size.
Uber did not immediately respond to a request for comment. However, when Motherboard last reported on the accounts, a spokesperson said that "We investigated this report and found no evidence of a breach on Uber systems. We've turned this over to the authorities and we will work with them as needed."
At the moment, Uber has not made any sort of official announcement about the hacked accounts. If it was to do so and advise its customers to change the passwords on their accounts, the fraudulent activity would likely decrease.
Update: Uber sent a statement. "We have no further details at this point—this is now in the hands of the authorities. I want to stress—we conducted a thorough investigation of this report and found no evidence of a breach on Uber systems. If customers experience charges on their account, they should contact customer support as soon as possible at: help.uber.com. Also, as a reminder—this is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."
Correction: An earlier version of this story said that the user "nucleoide" was advertising hacked accounts; it's actually unclear if the listing is for hacked accounts with passwords or just Uber users' email addresses.