Thousands of stolen, active Uber accounts went on sale this weekend, for as low as $1 (£0.67) each.
The accounts went up on sale on the Tor hidden service AlphaBay and have forced the taxi company to investigate a possible breach.
One seller claims he has “thousands” of user logins for sale.
Purchasing one of the accounts will provide a username and password, which in at least some cases had not been changed, according to some victims.
Motherboard, which first reported on the sale, contacted Uber, whose representative said the company has found no evidence of a breach.
"We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services,” the company said.
On the other hand, one of the sellers, AKA Courvoisier, said “Hacked accounts buddy,” when asked where the passwords came from.
Motherboard also got in touch with one of the sellers, and got a sample of names and passwords available. It turns out at least some of those names provided were still active.
A username and password is all you need to access a user’s trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user’s card are viewable in a user’s account.