Ask HN: Have you taken action regarding the Uber hack?

80 points by zinekeller ↗ HN
Either personal (like asking your bank to revoke all cards you used with Uber) or work-related (recheck your security posture so that you won't have a Uber-level catastrophe)?

68 comments

[ 3.4 ms ] story [ 130 ms ] thread
Sitting here pleased I continually refused to open an Uber account or have anything to do with them.
Yes, because I’m sure none of the places you do business with have ever been compromised.
That's true. But like the parent poster, I'm likewise glad I had avoided using them.

What I hated about Uber and why I never ended up using it was that their app wanted so much info from my phone for no discernibly good reason. And Lyft didn't seem to be much better. I just wanted a ride man, I didn't want a 500 MB app that sucked all the data out of my phone and sent it to god knows where.

So I've just ended up calling taxis.

It's not that your data won't get compromised by someone else, it's just about mitigating the exposure.

I acknowledge my tradeoffs wouldn't make sense for a frequent traveller.

What data can app get from you that you don’t specifically allow? The Uber app only knows my location while I’m using it. If I choose not to give it my credit card number, I can just pay using Apple Pay and they have a one time use credit card.

Not to mention with Uber/Lyft, I know exactly where my driver is, I don’t have to flag down a taxi, I know the price before I sit in the car, etc.

500MB? On what platform?
In the play store it says 67.65MB "Download Size".

And in the apple appstore it says 363MB size.

I don't know if apple calculates the unpacked and installed size or if it is the "download size" too.

Not yet, I use a unique email and password for Uber.

It sucks for my phone number but it won't be the first hack/leak where it is shown next to my name.

Not sure about the scope of the hack so I won't be canceling my card yet.

No action. I'm rarely anxious so it doesn't bother me.
Agreed. The financial aspect doesn’t bother me as it is very likely that action can be taken to prevent future misuse, and reparations can be made for past abuse.

Drivers seem to be hit with a PII breach though, and I’d have concerns if pickup and drop off locations were exposed, particularly for those where that information might be sensitive (e.g. journalists in some jurisdictions).

Went to try to delete my account, can't login because SMS 2FA doesn't seem to be working.
Is it likely to affect Uber eats or are they completely separate?
Most likely Uber Eats as well. I use both apps and my account is linked between both of them.
Well now that you mention it, I enabled 2FA :awkward:
Good, but the attacker spammed 2FA requests at an employee until they convinced them to accept one. Other than FIDO I think, most forms of 2FA are vulnerable to this.
I'm not sure what you mean, unless they have access to my 2FA app how can they get access to my codes?
By setting up a dummy login screen that you unwittingly enter a valid code into (which I believe is the current best guess for how it was achieved in this case.)
Some corporate 2FA apps send a push notification to a mobile device. Because of how that is set up, it doesn't always (A) show what the login is for because it shows the name of the SSO app instead of the actual application, (B) show other correct data, e.g. if the user is on a VPN, the location may be the VPN endpoint because of IP-address based locations, and (C) it doesn't always show on the user's device that a login needs to take place, because it may be an Exchange connection refreshing periodically in the background

So, some people just accept whatever pushes they get.

You can obviously rate limit the requests, and there are other tricks as well. I tend to think FIDO is better than push notifications for other (related) reasons, but it's not impossible to mitigate this kind of attack.
The vibe I get is this is an internal compromise. Disgruntled employee, maybe looking for evidence of upcoming layoffs, doesn't find them, now makes it look like "a hacker".
Currently there is an 18 year old hacker bragging everywhere on the internet and seems he/she has no clue what to do with his/her newfound god mode.
Yeah I heard that. I read on Techcrunch. Do you have any links to this person?
PCI standard requires them to report the incident. I think most card issuers would close the affected cards (my bank had done that a few times, rather annoyingly without telling!)
I'm not pre-emptively revoking my card either. In this case the decision should be up to the issuer, not me. They have more or at least the same information as me and it's their money that's at risk.
I always used Apple Pay to pay for Uber rides, so I'm not sure there's any card # to be stolen. I'm sure someone who knows better than I do will chime in :)
(comment deleted)
I never drove for Uber nor worked as a corporate employee (no risk for SSN leak). Have only used them as a customer.

I only paid for their services using Apple Pay. Even if that number was compromised, the CVV would no longer be valid. I think most banks would automatically re-issue the account number (not the physical card number) if they detect fraudulent use.

The only time I saved a card to Uber was before the NFC era (pre-2015/2016). Those cards have long been removed from the account and have expired.

I am not too worried. Worst case scenario, they have my address and name. Which are both publicly available anyways.

Although maybe I shouldn’t be too complacent. If the data is sold, then it will make me more vulnerable to social engineering attacks. Albeit knowing Uber has been hacked I will be much more aware.

With apple pay your card number is never even sent to uber. Apple generates a unique virtual card number every time you use it.
Yes, we are running a wargame at work trying to replicate this scenario in our setup.
Yeah, I'm considering an audit for hard coded passwords.
I was dumb and they have details for two physical cards + a virtual card that I use in a few other places + my personal phone number that is still pretty hard to find + my personal email address as I used 'sign in with Google' when I recently set it up in a rush instead of my normal 'services/spam' email :(

So yeah not great, but also too much effort to pre-emptively revoke anything so I'll just hope that the fallout isn't too bad.

also the credit card security model has fraud protection built in so just gotta look out on the monthly statements
Going to wage jihad on everything less than FIDO2/WebAuthn in any org where I'm affiliated; previously people were pushing for using push-auth shit (e.g. Microsoft Authenticator) as an option.

Previous jihads against hardcoded credentials (use Vault or equivalent).

Next target after this will probably be Slack.

I get the spirit of your conversation but I urge you to not normalize a term like jihad. It’s sole purpose is to exterminate people by means of brutal violence who don’t fall in line in the name of religion.
Pretty weird since in the original language it just means Struggle. Cleaner connotation than the western equivalent 'Crusade' which is used secularly all the time tbh.
It's simply a matter of how many people are affected by jihad vs crusade in the last few decades. This is the first time I'm seeing jihad used in something not associated with terrorism.
A drink called the Irish car bomb can be readily ordered anywhere in the US, despite brutal killings in the 80s-90s. Use of a term is oft separated from the historical connotations of it.
Slack had it already in 2015...
No, I meant that the systematic elimination of the use of Slack is my next holy war/crusade/jihad objective after coming solving the mfa problem. (Team communications should be e2ee, with no external party having access; for group chats up 10-20 that's viable; beyond that, company-encrypted to keys held by the company only.)
What harm can be done to me, as an uber user that has their cc data in the uber system by this?

Is my credit card information compromised in a way that allows attackers stealing my money?

Potentially yes, very likely yes it seems.
How so? Any more details you can provide about how CC data might be compromised in this case?
It shouldn’t be an issue given that for compliance reasons they don’t store credit card data and instead use a third party, and even if they got access to the API keys for that provider, they shouldn’t have access to enough data to somehow use your card.
Steal your money? No. Steal the banks money, using your account details to defraud a bank, possibly createing a headache for you? Maybe.
Why are you assuming that any sensitive information about customers have been compromised? Uber is legally required to report to its users what is at risk of having been stolen, and so far they haven't said anything.

Canceling cards preemptively is a nuclear option.

Absence of proof is not proof of absence. Uber has no fucking idea what's happening, just like Heroku a few months ago. They got completelly pwned. Assume everything has been leaked.
> Uber is legally required

Uber is infamous for not following the law¹. There is at least one other known case of them not disclosing a data leak²:

> In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

¹ https://www.theguardian.com/news/2022/jul/10/uber-files-leak...

² https://www.nytimes.com/2022/09/15/technology/uber-hacking-b...

Do we know if the details were stored in a format I need to worry about? If their protocols are in place surely a breach is just high level PII
I drove for Uber a couple of years ago. They have my DL and bank routing number. Should I be worried?
I did too, don't they also have a picture of your ID they took when you signed up, for "verification purposes"?
Yes they have a picture of my ID. They have quite a big of info about me since did a background check
This is why you should watermark any ID images with something like "FOR UBER USE ONLY SEPTEMBER 2022" in a wavy distorted font.
I'm setting up a savings account that they can't get at online
(comment deleted)
I just changed my password, and i had 2FA turned on already, that's about it... Any recommendations?
So many leaks I've given up caring. Actually I haven't had any fraud for a few years now, it feels like getting better? I do rely on Amex now which seems much easier to cancel any transaction.
> [From the end of the article] Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.

Unless and until CEOs are held personally responsible for such security breaches there will be no solution to the problem. A Chief Security Officer job looks more and more as a designated scape-goat for hire.

It is an idea I hear often, but I don't think it will solve anything. The CEO will be the scapegoat, and may get paid better for the risk taken. So having a CEO scapegoat or a CSO scapegoat, same thing.

You have to realize that a CEO is just an employee. An important employee, but like any other employee, he is paid to do a job, and can be fired if his employers are not satisfied with his work.

If we want to punish the people who have the ultimate responsibility, that would be the shareholders. And it may include you if you have stock in that company. The CEO could also be punished as a shareholder (CEOs usually are), but not as a CEO unless he commit fraud against the shareholders.

We could imagine prison sentences for the most important shareholders, but really, financial sanctions are the most fair. Shareholders will lose money proportional to their share. And if the CEO really is the problem, shareholders will be very unhappy and he won't last long and may even get sued.

It's interesting that if you commit crimes or harm, whether intentional or not, but in the aggregate, at scale, etc. that you can get away with it or just be fined. Be a single employee that accidentally or intentionally leaks information, particularly company or government information, and you'll be sued to oblivion. Or imagine being a lower or middle class person charged with a crime or have a civil suit brought against you and all you get is a like $20 fine.
I filed a CCPA delete request for Uber a few month back—feeling good about that now!