A username and password is all you need to access a user's trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user's card are viewable in a user's account.
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers. [...]
"Work[s] perfect," was the feedback left by one customer; "speedy delivery" was from another. [...]
It's unclear where the data came from or the scale of the breach. These logins may indicate that Uber's security was hacked or compromised somehow, although the company says it has found no evidence of a breach. [...]
This isn't the first time that Uber has had data leak in some form. As many as 50,000 of its drivers may have had personal details exposed. Uber said that in September 2014 one of the company databases "could potentially have been accessed by a third party," according to Slate, and Uber said that only the drivers' names and license plates could have been accessed in that breach. The twist is that Uber reportedly left the key for that database on a publicly accessible page on Github.
In another incident, Uber accidentally left part of its internal lost and found database -- which included driver and customer names and some numbers -- public on the open internet.
Editor's note: Our legal team asked us to advise you, dear reader, that buying stolen login info from the internet is illegal and you should definitely not do that, so don't.
It's ok, I'm sure The Market will take care of this.
Oh wait! The Market has taken care of this!