Kiwi Uber accounts hacked, used in Russia

Uber Cab Apple iPhone 6s New York City Taxi Call
Photo credit: Getty

New Zealand Uber users say the ride-sharing company is lying to the public about the app's 2016 data breach. 

Newshub has been contacted by several people who say their accounts were accessed from overseas, and their credit cards were used to pay for rides in Moscow and wider Russia. 

In October, 2016, 57 million customers and drivers worldwide were affected by the cyber attack. Uber paid the hackers US$100,000 (NZ$143,000) to delete the data and keep quiet about the breach.

But on Thursday, the Privacy Commissioner revealed about 100,000 New Zealand Uber users were affected.

Uber told Newshub, on Thursday, there was no evidence that users' trip location history, credit card numbers, bank account numbers or dates of birth were downloaded in the breach - but users' experiences say otherwise. 

Alena Winter said she was able to watch in real-time, as someone in Russia took an Uber ride, using her account. 

"They had accessed my account, and changed the password, email, and phone number - the only reason I could still see my Uber is because it hadn't logged out of my app."

Kiwi Uber accounts hacked, used in Russia
Photo credit: Supplied

Desperately trying to reverse the stranger's actions, she used Google Translate to communicate with the driver. 

"I was able to message the driver, telling him that the person in his car had a stolen Uber account...

"I told him to call the police after he dropped the person off, however… the police said they didn't care." 

Ms Winter said a similar thing happened to her friend and they both tried to contact Uber to secure their accounts. 

"We both contacted Uber and getting our accounts back was a nightmare, as the hack had changed all our details, making it difficult to prove it was ours.

"To add insult to injury, Uber did not once apologise and deflected all blame."

She said Uber claimed she must have been using the same log-in details for other websites, which have less security and applied those details to Uber - something Ms Winter disputed. 

She wanted Uber to take responsibility for the situation. 

"The whole process was very frustrating, and now for them to come out about this hack and state that nobody needs to worry as details are safe seems like another cop-out. 

"I'd love to see Uber take ownership for this part of the story that nobody seems to be talking about."

Uber New Zealand retained its stance that the overseas use is not linked to the security breach. 

"It is an unfortunate reality that all online accounts, whether email, banking or Uber, can be the target of phishing attacks that aim to steal a user's personal information, such as passwords."

"There are multiple reasons why unauthorised activity may occur - including whether the user is maintaining good habits in safeguarding personal information security, whether the device has been compromised, or even issues with the financial institution and its products."

It said there was no evidence of fraud or misuse tied to the 2016 incident.

Have you noticed anything suspicious about your Uber account? Contact shannonredstall@mediaworks.co.nz

Newshub.