Uber customer details for sale on dark web

It’s not been a good month for travelers’ data security. Both BA’s and Hilton Hotels’ reward schemes were hacked, with members losing thousands of reward points, Mandarin Oriental suffered a breach that saw credit card details lost, and now Motherboard reports that Uber accounts are being sold on the dark web.

One seller on AlphaBay – a dark web marketplace whose popularity has increased since the demise of Evolution – claims to have “thousands” of user logins up for sale.

The seller, who goes by ‘Courvoisier’, has listed username and password combinations for sale for as little as a dollar a go, according to Motherboard. Courvoisier said that the accounts were easy to use: “Log in on the Uber mobile website on your phone and book a cab ;)”. Motherboard confirmed that many of the details were genuine.

Multiple login details

Meanwhile, the International Business Times reveals that Courvoisier is also selling Amazon, EE, Vodafone, and Netflix account details. It’s not known where any of these details come from, but speculation is that password reuse is to blame.

Image: IBTimes

Image: IBTimes

An Uber spokesperson told Motherboard:

“We investigated and found no evidence of a breach. Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

Poor password practices

Companies don’t have to be hacked to suffer data breaches: phishing attacks dupe unsuspecting users into handing over their credentials, and once one website has been compromised and a list of user details has been extracted, criminals try them out on other popular sites, knowing that password reuse is rife and many users will use the same username/password combination on multiple sites. Result: instant access to numerous accounts, which can then be sold on.

ISO 27001

Corporate data is just as much at risk of exploitation as personal data in these circumstances, which is why good password practices and staff awareness training are both essential components of an enterprise-wide information security management system (ISMS), as described in the international standard ISO 27001. An ISO 27001-compliant ISMS addresses people, processes, and technology, allowing organizations to address their information security risks wherever they fall.

Thanks to IT Governance’s fixed-price ISO 27001 Packaged Solutions, US organizations can now take advantage of expert ISO 27001 consultancy to implement an ISO 27001-compliant ISMS for as little as $14,995, and organizations with fewer than 20 members of staff can achieve ISO 27001 registration for as little as $7,650.

With its unique combination of standards, books, toolkits, software, training, and online consultancy, IT Governance’s Get A Lot Of Help package provides US organizations with all they need to implement the Standard and ensure their cybersecurity.

Click for more information >>

ISO 27001 Packaged Solutions