A username and password is all you need to access a user's trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user's card are viewable in a user's account.
Motherboard received a sample of names and passwords available and verified that at least some of the accounts were active by contacting those users. The data includes names, usernames, passwords, partial credit card data, and telephone numbers for Uber customers. [...]
"Work[s] perfect," was the feedback left by one customer; "speedy delivery" was from another. [...]
It's unclear where the data came from or the scale of the breach. These logins may indicate that Uber's security was hacked or compromised somehow, although the company says it has found no evidence of a breach. [...]
This isn't the first time that Uber has had data leak in some form. As many as 50,000 of its drivers may have had personal details exposed. Uber said that in September 2014 one of the company databases "could potentially have been accessed by a third party," according to Slate, and Uber said that only the drivers' names and license plates could have been accessed in that breach. The twist is that Uber reportedly left the key for that database on a publicly accessible page on Github.
In another incident, Uber accidentally left part of its internal lost and found database -- which included driver and customer names and some numbers -- public on the open internet.
Editor's note: Our legal team asked us to advise you, dear reader, that buying stolen login info from the internet is illegal and you should definitely not do that, so don't.
It's ok, I'm sure The Market will take care of this.
Oh wait! The Market has taken care of this!
I couldn't tell from the article but one assumes the passwords were stored in plaintext or otherwise in some form that could be easy decrypted, i.e. not as a (strong) hash?
Who knows. Uber is denying the breach came from them, and hoping we believe that someone found user/password pairs by breaching some other site, and then correlating that back to the same user/password pairs on Uber.
I find this scenario unlikely, because that's a lot more work, and the original pile of data would have already been valuable in its own right.
So someone either bought the data from them or a disgruntled employee (their fault)or found a way into their system that allowed them to take ALL of this data without ubers knowledge (their fault). But the breach didn't come from them...I am confused.
If the only data is user/password pairs that can mean it's just a product of phishing or indeed if Uber aren't careful enough with wire security it could all be pulled off the wire. The present enthusiasm for MITM SSL proxies in businesses means that many businesses have the cleartext of everything their employees do online at work - their gmail password, their banking credentials, their Amazon wishlist, even though it ought to be obvious that legally that's way more trouble than the status quo.
Are you suggesting a company with lawbreaking in its business model might have hired dishonest employees?