Tech

Lime Scooter Accounts Are Being Sold on the Dark Web

Using one of these accounts, it seems a customer wouldn’t need to pay Lime for using its scooters.
Lime scooters

On the dark web, there are plenty of people looking for a free ride. Or at least a very cheap one. A vendor on a dark web marketplace is advertising what they say are accounts for the scooter service Lime.

"This account is used free to locate rental scooters (with a random life)," a listing on a dark web market reads, referring to finding scooters that may be available to use. The vendor says they have accounts for both the European Union and the U.S.

Advertisement

"The accounts sold here are functional and verified. They are unique for sale. Once sold, the accounts are automatically deleted from my database," the advert continues. The listing offers one account for €13.

Lime, like a wealth of other companies entering this space, lets users quickly rent scooters across major cities. Motherboard recently reported how Los Angeles wants scooter companies like Lime, Bird, and Uber's JUMP to provide real-time location data of the scooters for city planning purposes, although activists have privacy concerns around the sharing of this data.

Armed with one of these accounts, it seems a customer wouldn't need to pay Lime for using its scooters. The vendor has some conditions over using the accounts.

lime-dark-web-listing

"Do not change anything on the account (email/password etc)," they write. "Do not share the account (s)."

A Lime spokesperson said in a statement, "While this is not caused by any Lime security vulnerability, this illegal and dangerous behavior is absolutely against Lime policy and will not be tolerated on the Lime platform. We strongly remind our users that sharing account access information with any third party is against our user agreement and can expose them to significant cybersecurity risk."

Lime added that it will be migrating iPhone users to Apple ID login in the future, and that the company does not allow people to use any password that has already appeared in HaveIBeenPwned's leaked password list. The HaveIBeenPwned database, maintained by security researcher Troy Hunt, contains email addresses, usernames, and plaintext and hashed passwords from data breaches.

Motherboard previously discovered Uber accounts for sale on the dark web in 2015. Hackers were able to access these by using previously compromised passwords from other services.

Subscribe to our cybersecurity podcast, CYBER.