Just days after the massive Uber hack first came to light, cybercriminals have already reportedly begun targeting unsuspecting potential users of the ride-hailing firm in a new phishing scam. Uber recently confirmed that in 2016 hackers stole personal information such as names, email addresses and phone numbers from over 57 million user accounts.
Hackers are now capitalising on the data breach and have reportedly begun sending potential Uber users phishing emails, specifically tailored to trick them into divulging their account passwords. According to The Daily Beast, some people have taken to Twitter to report having received emails purporting to be from Uber, asking them to "change their password".
"These emails aren't from Uber," company spokesperson Melanie Ensign told The Daily Beast. "We have multi-factor on by default for riders & drivers, but as always, you see anything suspicious on your account, you can contact us via the help center in the app or help.uber.com."
"Our deepest apologies. You may have heard that Uber was compromised last year. We are sorry to inform you that your information was, unfortunately, confirmed to be part of the breach. Please click below to confirm you've received this message and change your password," reads an apparent phishing email, a screenshot of which was tweeted by IT trainer and consultant Dale Meredith.
Meredith clarified in another tweet that the screenshot of the phishing email is actually an add from KnowBe4, an anti-phishing service that created the Uber-themed email to caution people about such scams. However, several people have tweeted out claiming to have received what appear to be Uber phishing emails, indicating that hackers may indeed be racing to capitalise on the breach.
Uber is yet to directly inform its customers about whether they have been affected by the breach, The Daily Beast reported. In the event that hackers are able to craft emails to look fairly authentic, they may be able to successfully steal from people. To an unsuspecting user, such an email may appear authentic, leading them to unknowingly hand over their passwords to hackers.
It is not uncommon for cybercriminals to launch phishing campaigns shortly after a major breach. In August, in the wake of Hurricane Harvey, the US government warned people to beware of charity phishing scams – indicating how cybercriminals capitalise on major events to prey on unsuspecting victims and steal valuable data.