A few days ago, Darren Burn made a rather concerning discovery about his Uber account.
Wait, looks like my @Uber_LDN account has been hacked? Fake email and not my mobile in my app. Wtf?
Burn, the founder of OutOfOffice.com, subsequently found that someone was using his account to make journeys.
So someone has fraudulently used my @Uber_LDN account to the tune of £238.86. To say I'm fuming is an understatement.
He couldn't work out what was going on.
The fraudulent journeys kept racking up.
After making several complaints, Burn received a response from Uber, which he has shown to BuzzFeed News.
It said: "It looks like someone has accessed your account illegitimately. We believe that your email account may have been hacked as access was gained to your account by sending a password reset link to your email." The company sent him a new password and advised him to reset his email password. The company had also asked him on Twitter if he was perhaps logged in on a friend's phone because "they could be using it accidentally".
However, Burn told BuzzFeed News that he didn't find the company's explanation plausible – he wasn't logged in on a friend's phone and his email password hadn't changed.
And as he pointed out, it seemed to tie in with a story that was being reported at the time.
So @Uber_LDN are denying knowing about a security breach but I'm first hand evidence. Whole account hacked. http://t.co/Q1jf4MF7Yt
The story, which appeared on Vice Motherboard on 27 March, alleged that active Uber accounts, which the vendor claimed to have obtained through hacking, were being sold on the dark web for $1 a time.
The site reported:
Over on AlphaBay market, a recently launched dark web site, vendor Courvoisier has a listing for 'x1 UBER ACCOUNT - WORLDWIDE TAXI!' For the meager sum of $1, anyone can anonymously purchase an Uber username and password.
Another vendor, ThinkingForward, has a similar offer, but for $5. "I will guarantee that they are valid and live ONLY. Discounts on bulk purchases," ThinkingForward writes on his product listing
Motherboard said it obtained some hacked accounts and confirmed they did indeed belong to real individuals, who were surprised to hear their passwords being read out to them. Uber, for its part, told the website it had found "no evidence" of a breach.
BuzzFeed News has now been contacted by Ross Nichols, a Marketing and Business Development Director for Clarity PR.
He told us that he "had about £1,140 in random trips used on my Uber account and only spotted it a couple of days ago. The trips took place over about a week period, and i've reported it to my bank, Barclays."
He added that he'd contacted Uber support on Twitter "but hadn't heard a peep."
Nichols was only able to provide screengrabs of his bank account.
He said the reason was that, about two weeks ago, his app "started ordering cabs without me even touching the phone. So I cancelled the random trip, then another trip got booked immediately afterwards."
He told us he tried repeatedly logging in and out, but it kept happening. Then he didn't use the app for a week – when he went back to it, it didn't recognise his email or password, so he had to create a new account from scratch.
He added: "I actually still think it's a good service, despite the hack. Anyone can get hacked... I'm just angry they haven't even responded to my tweets, and there's no customer support email that I could find, or any sort of form on the site to fill in.
These two men do not seem to be alone.
On Monday the BBC reported that it had been contacted by a London-based user who said "someone else was booking rides in New York using his account without his permission, and had clocked up a $556 bill."
BBC Technology correspondent Rory Cellan-Jones said two people had contacted him about their accounts being hacked.
Contacted by two people whose @Uber accounts were hacked in last few days and lost money - Uber says "no breach - isolated incidents"
The next day the Evening Standard reported that a man had been "hit with a £3,000 cab bill for 142 journeys"
According to the paper: "An average of 10 rides had been made every day - but Mr Crossley claims he received no alerts as the hackers had changed his contact details too."
And there are many more complaints visible on Twitter, which BuzzFeed News has not yet been able to verify.
@Uber_Support My account has been hacked, racked up £380+ in fares in two days. I can't even reset my password.No phone number... HELP
@dazburn Only £250? You are one of the lucky ones. 🙈 #UberFraud #Ubered #Uberscam #DeleteUber #StaySafe 🙏
@Uber_Support my account has been hacked on Friday and I've sent several emails to you support London email and no one bothers to reply.
In response to these online complaints, Uber has reiterated its claims to UK Business Insider that there was "no evidence of a breach."
UK Business Insider suggested that if there was no hack, the data may accidentally have been leaked, citing the time a sensitive password was accidentally uploaded to GitHub, which has lead to a court battle as the company tries to find out who accessed it.
BuzzFeed News has reached out to Uber for further comment.
Another Uber user has got in touch. Tom Betts, a Financial Times staff member, told BuzzFeed News: "I had my Uber account hacked. Someone on the Kingsland Road was literally just using my account. Looks like an inside job with the driver because it doesn't look like the rider was never picked up, yet they managed to bill me £52." He added that the mobile number had been changed to one that wasn't his.
Another user who wished only to be referred to by her first name, Abby, has also contacted BuzzFeed News. She said that last week: "Someone was repeatedly trying to book rides from Peckham (south London), and I had to sit by my phone manually cancelling them as they were booked. They eventually managed to book a ride and spent £15.60 without me noticing in time."
She said she'd received the same email described above: "word for word, explaining that 'your password was reset via your email account'. This was certainly untrue, as my email has three-step verification and could not have been hacked. I found this very dishonest of Uber - it is NOT okay to tell people that their email account has been compromised when it hasn't been."
An Uber spokesperson told BuzzFeed News:
We take any issue of this nature very seriously and after investigating have found no evidence of a breach at Uber. Attempting to fraudulently access and use Uber accounts is illegal and we notify the authorities about such activity. We would like to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.
He added that anyone who was charged for a trip they didn't book or take would receive a refund.