Portland, Ore. — Jonathan Woolworth took one epic Uber ride. He traveled 83 miles from Boston, Massachusetts to Storrs, Connecticut. The ride cost him $140.92.
Just one problem: Jonathan Woolworth was sitting at his desk in Portland, Oregon.
His Uber account had been hacked.
“I looked at my phone and was like, Boston to Connecticut? Ah, haven’t been there in a while,” said Woolworth.
The Portland man’s case helps illustrate how cybercriminals are hijacking Uber accounts to take free rides, or “ghost rides.”
“I’ve had personal information stolen before but I was never freaked out like this,” said Woolworth. “It was on my phone.”
A KGW investigation found stolen Uber accounts and passwords for sale on the online Black Market.
One seller offered hacked Uber accounts for $6.99 each.
Other sellers offered stolen passwords for Netflix, HBO GO and other subscription-based services. “Fast deliver, no problems,” read one review.
“If there is a customer willing to pay for it, then there’s going to be a market for it,” explained technology security researcher Ken Westin.
It’s unlikely the stolen account information came from a massive data breach at Uber, explained Westin. Instead, cybercriminals likely harvested the stolen information from phishing attacks.
Crooks will send a password reset link by email or text, fooling customers into sharing sensitive information.
If the bad guy gets access to one account, they can sometimes hack into many more.
“Always assume that you are going to be breached. One account is going to be breached at any given time,” said Westin. “You can reduce that risk by having separate passwords for each one of those websites or services.”
Woolworth recalled receiving a realistic-looking notification from Uber just before his account was hacked. It asked him to reset his account information.
“It had the little Uber icon and it said, ‘Uber needs you to update your personal information. I was like, okay, no big deal,” said Woolworth.
After he realized his account was hacked, Woolworth emailed Uber.
One of the perks of Uber -- not having to deal with a real person – was problematic for Woolworth. He couldn’t reach a real human being; instead, he had to file a complaint through email.
“They really didn’t understand the human interaction or the human frustration,” said Woolworth.
Uber said it appropriately handled the situation.
“We responded to him and refunded the trip the same day. We also helped him reset his password and secure his account,” said Uber spokesperson Melanie Ensign in an email to KGW.
To avoid having your accounts hacked, here are a few tips:
1. Use a different password for every account.
2. Change your password at least once a year.
3. Watch out for requests to reset passwords. Typically, they’re bogus.
4. Monitor your accounts and report any suspicious activity.
Published Nov. 7, 2016