Your Uber account may be open to anyone, anywhere, at any time. Hackers across the globe are buying and selling them every day for as little as $2.99.
The WUSA9 Special Assignment Unit got an inside look at the dark web -- accessible only through a specific browser -- where stolen Uber accounts are bought and sold every day.
Think of the internet as an iceberg. Most of us can only see the tip with search engines like Google and Yahoo. Beneath that is a part of the internet called the deep web. That's your email account and password protected sites.
The dark web thrives within the deep web.
Experts are quick to point out the dark web is an important channel for people operating in repressive nations. For example it’s a way for journalists to communicate with political dissidents and whistleblowers. However, lots of the activity there is illegal.
“It’s so similar to the real web,” said Kevin Lemmon, a cyber security expert at Distil Networks based in Arlington, Va. “That’s what’s gotten kind of scary about it.”
Lemmon showed how easy it was to buy a stolen Uber account on the dark web.
“First you need a browser,” he said. “So Tor is the most famous one.”
Tor stands for The Onion Router. The browser bounces IP addresses around the world hiding the user’s identity.
“It’s a way to go and to look at sites and no one is going to know who you are,” he said.
Lemmon showed reporter Whitney Wild a list of markets where venders sell illicit products such as heroin and stolen credit cards.
“He’s got 200 for sale,” Lemmon said, pointing out a profile hawking Uber accounts. “Each piece is going to cost you $2.99.”
The process to find stolen Uber accounts took less than five minutes.
“It’s pretty simple just to come here, if you want to buy one of these, go ahead and buy,” he said. “You have to enter your information and he’s going to transfer these stolen credentials to you.”
A quick search on Twitter shows people regularly reporting that someone on the other side of the globe has used their Uber account for a free ride.
Nilsu Goren is one person on a long list of victims.
“It was definitely annoying,” Nilsu said. “I felt really annoyed and frustrated.”
On a July morning when Nilsu Goren was preparing to exit her home in College Park Md., her phone told her she’d already taken a trip in Moscow.
“This is the very first thing that I see, that my Uber is on the way,” she said. Nilsu showed a snapshot of an Uber alert in Cyrillic script -the alphabet used in Eastern Europe.
Nilsu happens to study cyber security in the context of US- Russian military relations.
“The funny thing is when you work on an issue so much, I do, sometimes, dream of missile defense systems,” she said.
“So I’m thinking ‘What is wrong with me? Am I dreaming?’ And then I see multiple text messages from Uber saying this person has changed my email account, my phone number associated with that account.”
In Denver, investigative reporter Jeremy Jojola was hit.
“I was sleeping in the United States and all of a sudden at like 3 o’clock in the morning, I get this weird notification on my Uber app and it's in Russian,” Jojola said.
“At least thousands of accounts have been hacked and put on sale,” said Joseph Cox, a writer for the tech website, Motherboard. “I would probably say tens of thousands.”
Cox said he found Uber accounts for sale on the dark web for a dollar in 2015. He tracked down the owners of some of the stolen Uber accounts, and delivered the news they’d been hacked.
He said they were shocked.
“Probably a little embarrassed when I also explained to them that this was probably because [they] reused the password somewhere else,” Cox said.
Rami Essaid owns the company where our dark web guide, Kevin Lemmon, works.
“It is guaranteed that at least once a year one of your credentials will get leaked and stolen,” Essaid said.
His company, Distil Networks, builds barricades for companies like StubHub that protect against hackers. StubHub is like a castle. Distil Networks builds the castle wall.
“A lot of consumers use the same user name and passwords in a lot of different places,” he said. “The bad guys are able to find a number of accounts that work.”
Essaid explained hackers buy credentials in bulk, then program bots to conduct “credential stuffing.” That's when they cram stolen usernames and passwords into sites and applications until one opens. After that, the hacker has a credential he or she knows will work.
When users maintain the same password for multiple profiles, hackers have a key that unlocks a list of applications and profiles using that one password.
That means your important personal information is just a few keystrokes away on the dark web. The results could be catastrophic if a hacker taps into banking applications or sites containing social security numbers.
With Uber, the impact is minimized. An Uber spokeswoman, Melanie Ensign, told WUSA9, fraudulent trips comprise a small amount of reports.
“In cases where fraud is confirmed, Uber pays the driver and refunds the rider,” Ensign said.
Uber profiles don’t display full credit card numbers either -only the last four digits. So hackers are able to steal only a few free rides.
Back in Denver, this has taught Jeremy Jojola as much about himself as it did about hacking.
“I’ve come to realize that I’m a lazy moron myself, because I know that I should be using different passwords for every different social media account I use,” Jojola said. “But I got lazy.”
For Nilsu, the hack was just too creepy, so for now she’s off Uber, indefinitely.
“I’ve actually never been hacked in my life,” Nilsu said. “That’s why I never thought it would be at this personal level.”
Cox, Essaid and Ensign recommended the website www.haveibeenpwned.com to check if your credentials have been leaked.
By the way, the website is pronounced “Have I Been Powned,” if you’re inclined to say it out loud.