The mobile-app-based transportation company Uber has denied its servers were compromised after reports that thousands of customer log-in credentials are for sale online. At least two vendors in a so-called dark-net marketplace -- a hidden corner of the Internet accessible only via Tor anonymity software -- claim to have sold usernames and passwords for as little as $1 per combination going back to March 18.
Obtaining a username and password is all that’s necessary for a buyer to know where someone has traveled, when and how frequently. Partial credit-card and phone numbers are accessible through the data available to purchasers on the dark-net sites AlphaBay and ThinkingForward, Motherboard first reported. One Uber user confirmed to the technology-news site that the information for sale about his account had his correct username and password.
“Either someone at Uber has passed these details on for money or they have very lax security,” customer James Allan told Motherboard. “Criminal proceedings need to be processed, I’d expect. That’s what I would like to happen.”
Uber indicated it doesn’t feel the same way. “We investigated and found no evidence of a breach,” a company representative said in a statement cited by the Guardian Monday. “Attempting to fraudulently access or sell accounts is illegal, and we notified the authorities about this report.”
The taxi-hailing app company has been heavily criticized in the past over its data-storage policies. Last year, it was revealed the firm had a so-called god mode that made it possible for staff members to monitor customers via GPS information included within the Uber app.