Uber is off to a rocky start in China. The company threatened to punish any of its drivers that took part in protests against the taxi app, and a large number of trips in the country are false trips concocted by drivers looking to make some easy yuan on Uber's dime.
Now, it looks like Chinese fraudsters are using hacked Uber accounts to take free trips.
“@Uber I had a great ride in China this morning! Except, weird, I wasn't in China this morning,” Twitter user Kirby Bittner wrote two days ago, who also added the hashtag “#UberAccountHacked.” “@Uber_Support my account got hacked and used in China. What do I do?” Valerie Bolanos claimed yesterday. And then just today, Jess wrote on Twitter “I have emailed @Uber_Support to complain about a hack and a charge from China and no one has yet to follow up.” The tweets were shown by ‘Just Aguy’, a poster on the UberPeople.net forum.
Back in May, thousands of Uber accounts were for sale on the dark web, for as little as $1 each. Since then, victims have appeared in Europe and the United States. In August, the price of hacked accounts dropped to just 40 cents. Those accounts were accessed by hackers because Uber customers had used the same password in their taxi app as one for another service. In response, Uber said it was experimenting with two-factor authentication.
However, with all that being said, it is not clear whether these recent fraudulent trips coming from China are connected to hacked accounts being sold on the dark web. It's possible they've been acquired and are being sold in a different manner. It was previously reported that sites such as Taobao have been selling access to fully functioning Uber driver accounts, perhaps to avoid Uber's registration procedure.
"Our security teams are laser focused on protecting the integrity of our community's Uber accounts," Uber said in a statement by email. "We use technical measures to detect any issues and are always enhancing the measures we deploy to protect our users' accounts. We also encourage all of our users to choose unique usernames and strong passwords and to avoid reusing the same credentials across multiple sites and services."