Earlier this year, Motherboard reported that stolen Uber accounts were being sold on the dark web. After it emerged that the accounts were accessed because of password reuse, Uber experimented with tightening its security using two-factor authentication.
But hacked accounts are still being sold and are now being offered cheaper than ever, with one vendor selling the usernames and passwords of Uber users for just 40 cents each—less than half the price we previously found account details listed for.
"[High quality] uber accounts from random country's, all of them have [credit card information] attached 100%," one listing on dark web market AlphaBay reads. Customers can choose to buy an account that has either a credit card or PayPal linked to it. The idea is that, with this information, they could take Uber trips and charge them to someone else's account.
At the moment, six different vendors are continuing to sell Uber accounts on AlphaBay. They have collectively sold over 6,100 accounts, according to an automatic tally on each item listing. This should be treated as a lower limit, however, because many vendors who previously sold Uber accounts appear to no longer be doing so.
Screenshot of one of the listings
But for some reason, Uber accounts have crashed in price, with listings asking for 40 or 50 cents. Originally, accounts were sold for $1, and while some listings still advertise around this price, they often include discounted bundles of 50 or 100 accounts.
Two vendors who sell Uber accounts did not immediately respond to a request for comment.
An Uber spokesperson said that Uber had "made some changes to the app which have dramatically decreased the ability for criminals to fraudulently access accounts. This includes, but is not limited to, further account verification requirements."
Uber has been exploring options for better account security since at least June, although no specifics were released.
However, on one of the listings for hacked accounts, a vendor writes, "I will not accept any refund/replace if uber asks about any verification." It appears that some of Uber's efforts may be working to make it harder for people to abuse stolen account information.
The spokesperson added that "Uber has taken this issue very seriously and has refunded anyone who was affected. We would still like to remind our users to use a unique password for their Uber account."