TLDR: My Uber account was compromised and rides were requested and my credit card associated charged £60+. I am heavy user of 1Password and believe that Uber is responsible for the breach. Stronger security features such as 2FA and account locking are welcome.
Yesterday, around 3PM UTC, I opened up the App Store on my iPhone 5 to check for app updates. I usually do this every other day or so, to get the chance to read the changelogs, which as a developer myself, are quite interesting. Uber was one of the apps with updates pending - the new version was 2.79.2 and, as usual, had no details apart from “This updates improves the Uber experience across the globe”.
A few minutes after the update completed and I had put aside my iPhone, Uber notifications started arriving, telling me that “my driver was on his way”. My first thought was that it was a bug on the new version and ignored it but, a few moments later, I received another notification that “he was arriving in 5 minutes”.
That second notification caught my attention. I reminded myself that some notifications are sent through Apple Push Notification Service, and that those from Uber probably didn’t originate from the app but from their servers. I opened up the app.
What I saw would probably frighten most people. It seemed to be possessed: the map zoomed in and out of London, the pickup and destination locations were constantly being redefined and rides being requested. Disturbed, the only thing I thought about was canceling those requests. After five or six battles with this evil British spirit, I surrendered.
I’m a deep admirer of Uber and, since its launch, wanted to have the service available in my home town: Belo Horizonte, Brazil. Luckily, it arrived in the first Brazilian batch in late 2014. I even had the chance to meet Michele, an Italian guy that embraced the need for change in how people get around cities that is so deep to Uber, and that was responsible for launching the service here in Belo. He was open to sponsoring a Data Visualization class that I was mentoring back then, and over the last 6 months I recommended the service to dozens of friends in Belo, Rio and Brasília.
Just last Friday, in the company of a friend from Brasília, I requested a ride to pick us up from a gig - I wanted to show her how good it was. As soon as we entered the car, taxi drivers that were nearby rioted, kicking the vehicle and threatening the driver, demanding us to leave, which we unfortunately had to do. As these kind of incidents have been going on for a while here in Brazil (and Uber is well aware of those), I managed to convince my friend these unfortunate events are expected when a corrupted and rotten services such as Taxis are disrupted. That’s how much I believe in the service.
Back to yesterday’s incident, I had to take an action. The first thing I tried was removing the two credit cards I had from my account - but there must always be a valid one on the account, no luck on that attempt. The next logical step would be to cancel and delete my account - but as a somewhat heavy user, I didn’t want my nice trip and review history to vanish. I settled on logging out from my account in the app and deleting it from my phone - Uber would live up to my expectations and to its potentials and refund the charges and delete those messy trips.
Again, as a software developer, I knew that wouldn’t be sufficient. The app just serves as a canvas for actions originate from Uber’s servers. The same way your ride appears when you reopen the app after making a legit request and closing it, it was showing me requests that have been made elsewhere. Sometime, I could even see car options that aren’t available in Brazil (we have only Uber Black here) - their servers where definitely receiving coordinates and actions from two different actors under the same account.
I kept a tab open in my browser with my Uber trip history, and as those pilled up, I wrote an email to firstname.lastname@example.org, which you can read here. As the email with Friday’s incident hadn’t been answered yet, I decided also to translate and post it to the Uber’s Brazilian Facebook page.
A few hours later, I received a notification from my credit card company, a trip worth 58 pounds and 3 hours long had just been completed and successfully charged.
Around the same time, the Brazilian Uber team replied to my post on Facebook asking me to forward the message to a different support email email@example.com, which I promptly did. I decided to wait 48 hours for a reply and refund from Uber, before opening a dispute for the charges with my credit card company. An extra 5 pounds worth requests was made yesterday after these events.
At this point I should say that I’m a heavy user of 1Password. For those who don’t know it, it’s a password manager that generates and stores passwords for you, so that you only need to remember one password. My Uber account is connected to Facebook, and my credentials there have a random password generated with my usual recipe of 22 characters, mixed case, four numbers and four digits. Two factor authentication is also enabled. If I ever set a password for Uber, it would have been no exception, but I believe I didn’t, as there were no credentials on 1Password.
I went to bed thinking about what could have gone wrong at Uber. My friends that received the update were unaffected, and a quick search on Twitter didn’t show other affected users. It was something related to my account. It could have been breached or a random bug on how they partition databases might have affected some accounts, routing one user’s requests to another’s - who knows.
Just this morning I received a reply back from firstname.lastname@example.org which you can read here. Paulo basically says that my account had been compromised, someone accessed it and that I should reset my password. They did investigate further and “found no evidence of a system-wide breach at Uber”. I went ahead and requested a password reset, waited around 15 minutes, no email arrived, requested a new password and nothing. I replied back to Paulo, telling him that I tried to reset my password without success and that after my original email, two other charges arrived and that those should be refunded.
After a few minutes the reset password emails arrived (9:22 and 9:27am UTC-3) and I entered a new randomly generated password. Paulo also quickly replied back, telling me that the two charges were refunded and asking about the reset links. I responded, telling him that I managed to reset my password and drawing his attention to the fact that if my account was indeed hacked, probably Uber was hacked as well.
A search on Google shows us that I am not the only one     , most of the affected users also saw random rides being requested in London. Uber didn’t publicly admit a breach on their front. I’m a fan of their service and their core values, but as a person who takes care of his passwords quite well, I believe more attention should be drawn to this matter and effort spent on their side of the investigation.
In the meanwhile, it would be nice to see stronger security measures:
- Two factor authentication;
- SMS/email confirmation when using the service for the first time in a different country;
- Ability to lock the account for a few days through the Web UI.