Where there’s a data breach, there’s ample opportunity for scammers, even if they don’t have access to the reams of stolen accounts.
On Tuesday Bloomberg reported that ride-sharing giant Uber covered up a 2016 breach of 57 million accounts, including names, email addresses and phone numbers of 50 million riders. Now, hackers are capitalizing on that news by sending potential Uber users specially crafted emails designed to steal their password.
“Our deepest apologies,” reads an apparent phishing email, posted by IT trainer and consultant Dale Meredith to Twitter on Wednesday.
Meredith told The Daily Beast the email was a demonstration of what phishing messages related to the Uber breach might look like, but a number of people have reported the same sort of emails in the wild.
“You may have heard that Uber was compromised last year. We are sorry to inform you that your information was, unfortunately, confirmed to be part of the breach. Please click below to confirm you’ve received this message and change your password,” the email continues, complete with fairly convincing Uber branding spread throughout the message. The email itself comes from “firstname.lastname@example.org,” according to Meredith’s screenshot, following a similar style of automated alert emails.
The phishing email even gives some half-decent security advice, presumably in an attempt to appear authentic: “As a security precaution, you’ll want to change your passwords on all other online accounts you utilize, to prevent any further damage,” it adds.
One part of the message may immediately ring some alarm bells though: Uber is apparently teaming up with its main rival Lyft, and offering affected customers $50 worth of Lyft credit.
Regardless, several other Twitter users have reported receiving similar emails.
“Just received an email from what is claiming to be Uber Canada apologizing for security breach and offering $50 credit to Lyft. Quite confident this is a phishing scam as it asks for password change,” one user apparently from Toronto tweeted on Wednesday.
“I just got a phishing email from an email posing as Uber! Be careful!” Michelle Zilio, a reporter from The Globe and Mail, tweeted.
As Bloomberg reported, Uber paid the hackers $100,000 to delete the stolen data. The New York Times reported that Uber, after tracking down the hackers, pushed them to sign nondisclosure agreements. New York Attorney General Eric Schneiderman has opened an investigation into the incident.
Hackers who successfully obtain an Uber customer’s password could do several things. They might decide to take a load of expensive trips on the victim’s account—hacked Uber accounts have been used in China, Europe, the U.S. and elsewhere. Or, the hacker could sell the stolen details on the established, underground market of Uber accounts.
As Motherboard first reported back in 2015, Uber accounts are available on the dark web for as little as $1 each. Hackers even penned guides on how to more effectively use the accounts without getting caught, and, after a slew of other vendors entered the trade, the price of Uber details crashed to just 40 cents.
Of course, without access to the database of 50 million customers, scammers still need to figure out who might have an Uber account, so their phishing email goes to the right people. Although it’s not clear how the scammers behind these recent phishing emails have determined that, The Daily Beast confirmed that trying to sign up to Uber with an email address which is already in use provides a handy error message. Attackers could theoretically grind through lists of emails exposed in previous data breaches, and check which ones are linked to an Uber account. Special software configured for different websites and services automates much of this process. With that being said, the hackers may also just be blasting their phishing emails randomly and broadly, hoping that they get some passwords in return.
Uber has not directly informed individual customers of whether they were impacted by the data breach. If this phishing email is the first a victim sees, it’s easy to imagine at least some people inadvertently handing their password over to hackers.
“These emails aren’t from Uber,” company spokesperson Melanie Ensign told The Daily Beast. “We have multi-factor on by default for riders & drivers, but as always, you see anything suspicious on your account, you can contact us via the help center in the app or help.uber.com.”
Update: This piece has been updated to clarify that Meredith's tweet was demonstrating what a related phishing email might look like.