Uber accounts can be stolen, trail could lead to the dark web

An ABC7 I-Team Investigation
CHICAGO -- Your Uber account can be stolen, then used by a stranger anywhere in the world, and you have to deal with getting the bill reversed.

The I-Team responded to two consumers who say it happened to them and that their accounts may have been sold on the dark web.

"You don't think it will be you," Stacy Wimunc said.

Wimunc said she was relaxing on her Orland Park couch while someone else was using her Uber account 900 miles away.

"I logged onto my Uber app and saw that the charges were in Georgia," she said.

The same thing happened to Philip Kirschner of Naperville.

"Uber ride, Uber ride, Uber ride, and I said, I think someone got into my account," said Kirschner.

But the person using his Uber account wasn't even in the United States.

"London and the Netherlands," Kirschner said.

His account showed charges in British pounds.

It's unclear how their accounts were compromised, but the I-Team found online forums where people claim to sell Uber accounts.

"I saw the guy's name and took a screen shot of that and have the guy's name, email and phone number. And before I got a chance to get a hold of Uber, the guy changed my password, and I got locked out," Wimunc said.

Because they were locked out, they couldn't contact Uber through the app. In addition, Wimunc and Kirschner said they weren't able to get accounts back by contacting Uber online, and the rideshare giant has no customer service phone number.

"They are not taking responsibility for what happened, and they are not fixing my account," Wimunc said.

William Caput, an "ethical" hacker and tech security expert, has an idea of how these accounts came to be compromised.

"Uber was breached about two years ago," Caput said. "And so hackers have access ... to accounts with usernames and passwords and they've been now selling them on the dark web. So you can go on the dark web and purchase verified working Uber accounts."

Caput said Uber could have done more in the wake of the hack.

"They should have forced a password change on every single user," he said.

However, Uber told the I-Team that "ongoing security monitoring has found no evidence that recent issues with individual accounts are related to the incident that occurred in 2016" and that the "2016 breach did NOT include a compromise of individual accounts."

But if we rewind to almost a year ago, Uber admitted to knowing about the hack for almost year without notifying customers or drivers and revealed that hackers were able to download the personal information of 57 million Uber users around the world including names, email addresses and mobile phone numbers. But Uber said it had "assurances" that the downloaded data was destroyed.

Uber insists that hackers may breach other companies and then see if the stolen passwords work on Uber accounts. They added, "...this is why we designed our accounts with security in mind to protect the payment info and refund riders when unauthorized trips happen."

"I would like to see Uber become more accountable to their customers," Kirschner said.

Kirschner was given a $50 Uber credit. He and Wimunc were not held responsible for those fraudulent trips.

After the I-Team became involved, Uber helped both of them regain access to their accounts. However, both said they'll find a new way to get around.

"I had to change all of my passwords because they have my email, they have my name, they have my phone number," Wimunc said.

To prevent this from happening to you, experts say you should change your usernames and passwords regularly on all of your rideshare accounts. Do not use the same passwords.

Uber stressed that customers should not share their passwords and they say customers can still contact their support team online if they have been locked out.
Copyright © 2021 WLS-TV. All Rights Reserved.