I was sitting on the floor of the San Diego Convention Center a few weeks ago when my phone got a strange notification - "Your Uber is arriving". Since I did not order one, I picked up my phone to get more information. The Uber was arriving in downtown Toronto. Again, I'm in San Diego. This spells trouble.
Turns out my Uber account had been hacked. I was already in my app so I quickly attempted to change my password. Too late. The hacker added his email to the account and changed the password before I could.
What's At Stake?
At first I did not think this was a big deal. I mean how many Uber rides can you really take? The account is set to my personal funds, but I had switched it to my Stamm credit card while in San Diego for work for Stamm Media. I contacted Uber Support both on twitter and via their support page indicating my account had been hacked.
The main problem was this hacker knew what he/she was doing. They didn't take me off the account, just added their email as the primary. This mean I couldn't log into my account using my email since it was tied to an existing account. I tried to sign in using my phone number and it said there was no Uber account associated with that number (since the hacker was using their own phone number). Any 'Forgot Password' and trip receipt emails would be sent to the hacker's email as well.
When Did I Get It Back?
Approximately 6 hours after I reported it, my account was back in my hands. Uber Support was great once they understood what was happening (the situation was difficult to explain without knowing about the hacker switching primary emails but leaving my email still listed).
After verifying via screenshots that the account was my own, I got a manual password reset sent to me. My account wasn't just used in Toronto either. It was passed around from Toronto to New York City to Los Angeles back up to upstate New York and finally back to Toronto. Turns out this is a pretty common practice.
What Was The Damage?
Once I updated my security settings, I got the barrage of Uber charge emails. There wasn't many Uber trips taken, but Uber EATS was used a lot. The food must have been incredible. Total damage was about $400 for just over 6 hours! Uber promptly issued refunds. I was lucky that I caught this immediately and it still took 6 hours to get back in control. If I did not see that notification at the time, hackers could have racked up thousands of dollars without my knowledge.
In addition, they knew my personal email account and a password I've used repeatedly in the past. Again luckily, I wasn't using the same password for Uber and my email.
How Can You Protect Yourself?
Passwords, passwords, passwords. You have to consistently update them! I've been one of the few who didn't totally buy into that. My Uber password was a fairly simple combo of numbers and letters and went unchanged for 2 years. If I would have had the same password for my email, I'm not sure how bad the total damage would have been to my other linked accounts. The hackers also could have used my email to set up attacks on my friends, family and other contacts.
I used this mishap adventure as a jumping off point to revamp all the security settings in my life. I started using a password manager called Dashlane (FYI not being paid to mention them, but I'm willing to be paid if they offer). All I have to remember is one master password and they encrypt the rest.
Again, I was fortunate that the damage was limited in this situation. Others might not be so lucky. If you are interested in learning more about updating your security (or just hearing more about my Uber screw up) consider joining us and Dave Stamm at our IT Security breakfast presentation on 6/20! Click here to register.