Hackers Stole Data From 57 Million Uber Drivers and Customers, Uber Paid $100K to Hide Attack

Uber suffered a massive data breach last year that exposed the personal data of 57 million customers and drivers, reports Bloomberg. The attack occurred in October of 2016 and included personal information from 50 million Uber riders and 7 million Uber drivers.

Two hackers reportedly accessed a private GitHub repository used by Uber's software engineers and then used those credentials to breach an Amazon Web Services account that contained an archive of rider and driver information.

Email addresses and phone numbers were stolen from riders, while hackers were able to obtain email addresses, phone numbers, and driver's license numbers from drivers. Uber says social security numbers and trip location data were not accessed in the attack.

Rather than disclosing the attack when Uber learned of it in November of 2016, the company instead paid hackers $100,000 to delete the data and keep quiet about the breach. Uber did not disclose the identity of the hackers, but did say it believes the information was not used or otherwise sold.

Uber's new CEO, Dara Khosrowshahi, says the attack and the coverup should not have happened, and that Uber is "changing the way we do business." Khosrowshahi says he is aiming to change the way Uber operates, and as part of that effort, Uber informed the FTC and attorney general about the attack this morning.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Uber's efforts to conceal the hack were led by chief security officer Joe Sullivan, who has been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.

In light of the attack, Uber has hired Matt Olsen, who previously served as general counsel at the National Security Agency. Uber says Olsen will help the company restructure its security teams.

Tag: Uber

Discuss this article in our forums

Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen

When the Apple Watch was first released, Apple gave Uber what's known as an "entitlement" to run a special API to improve performance of the Uber app on the wrist worn device.

That entitlement made headlines today when security researchers told Gizmodo that Uber could have used it to record a user's iPhone screen even with the Uber app just running in the background.

In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn't render maps.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson told Gizmodo, saying that early Apple Watches couldn't handle this process alone. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to both the statement given to Gizmodo and a tweet from Uber head of security and privacy communications Melanie Ensign.

According to security researcher Will Strafach, who first brought attention to the issue, Apple does not often give out entitlements. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.

Strafach says there is no evidence that Uber ever misused the entitlement, but it could have been utilized to monitor activity on an iPhone, recording passwords and other personal information. "Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," another security researcher, Luca Todesco, told Gizmodo.

Uber says the app is no longer connected to anything in the company's current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.

Tag: Uber

Discuss this article in our forums

Uber App Offers Basic Sign Language Tips to Chat With Deaf or Hard of Hearing Drivers

Uber has rolled out an update to its iOS app that enables riders to learn basic sign language on the go so they can communicate better with deaf and hard-of-hearing drivers.


Uber announced the new feature in a post on its website, where it said the ride-hailing service had "thousands" of deaf drivers in the United States alone, and that the update was in support of National Deaf Awareness Month.
Riders will see a special card in the Uber feed. Once they tap it, they'll be taken to a page where they can select the basics, like "Hello" and "Thank You," or spell out their name. They'll then be given a GIF with the word(s) in ASL. That way, they can better communicate with their Deaf or Hard of Hearing driver, because signing "Thank You" or "Hello" in ASL can go a long way.


Uber has actually included interface features for its hard of hearing drivers for the last couple of years, such as flashing screens for ride requests instead of audible notifications, and allowing drivers to receive texts rather than calls. But the latest feature, which currently only works in the U.S., will surely come as a welcome addition.

The Uber app is a free download for iPhone available on the App Store. [Direct Link]

Tag: Uber

Discuss this article in our forums

Uber Adding Feature to Let Drivers Provide More Rider Feedback

Uber today introduced a new feature for its iOS app that allows drivers to provide feedback when giving a rider a rating of less than five stars.

As outlined by The Verge, drivers are now asked "what went wrong" when providing a four star rating or lower. Drivers can then choose from reasons like wait time, patience, number of riders, attitude, wanted a new route, or other.

Riders who get two of the same rating tags in a 30 day period will receive a notification letting them know about the low ratings and the reason why.

Uber is also changing the way its UberPool service works in an effort to make the feature less stressful for drivers. UberPool allows passengers to choose a cheaper fare, but it's a shared ride with the potential for several passenger pickups.

For UberPool rides, drivers will now receive an additional flat fare for each passenger picked up, and Uber says it is planning to pay much of the added cost for the trips through a service fee reduction. Riders will not pay more for a trip even if there are additional pickups.

Uber in June launched a "180 Days of Change" initiative designed to improve working conditions for its drivers and bolster its public image, and today's changes are part of that effort. Uber has been introducing new driver features since then, starting with a long-desired in-app tipping option.

Tag: Uber

Discuss this article in our forums

Uber Falls in Line With Settings in iOS 11 That Limit Use of Location Services

Uber has updated its iOS app to fall in line with new options in iOS 11 that let users limit an app's use of location services (via The Verge).

With iOS 11 installed, it's possible to restrict the gathering of location data by any third-party app so that it can only access the device's location status when the app is in use.

Uber has faced criticism in the past for tracking users' location even when they aren't using the service, while offering them only a binary choice of either allowing always-on tracking or turning it off altogether.

Uber had argued that the tracking enhanced rider safety and said it restricted tracking to five minutes following a ride anyway, but many users cited the policy as a privacy concern.


With the latest update however, Uber has highlighted the fact that users can elect to share their location "While Using the App", "Always", or "Never". These options can be found in the Settings app under Privacy -> Location Services -> Uber.

These permissions override any third-party app's settings, which should address users' concerns regarding similar behavior.

Tag: Uber

Discuss this article in our forums

Uber to Pull Feature Allowing Riders to Be Tracked for Five Minutes After a Trip

In an effort to better protect user privacy and improve its image, Uber has decided to remove a background GPS tracking feature that allows riders to be tracked for up to five minutes after a ride ends, reports Reuters.

Uber is expected to announce the privacy change starting on Tuesday, with the update expected to roll out to iPhone users this week. The same update will be made to Android devices in the future.


The feature, which was first introduced in late 2016, has garnered a lot of criticism from Uber users. When location tracking is enabled for the Uber app (and location services is required for the app to properly function) Uber is able to collect location data from the time of a trip request through five minutes after the trip ends, even when the app is in the background.

Uber says it planned to use the extra location data to improve pickups, drop-offs, customer service, and to enhance customer service, but the company claims the post-trip tracking feature was never actually turned on for iPhone users.

In an interview with Reuters, Uber chief security officer Joe Sullivan said the update is unrelated to recent internal turmoil within the company, which saw Uber CEO Travis Kalanick ousted from the company.
"We've been building through the turmoil and challenges because we already had our mandate," said Sullivan, who is a member of the executive leadership team that has been co-running Uber since Kalanick left in June.
Sullivan went on to say that the company should not have asked Uber users for more information without providing details on the value of the feature. Should Uber re-enable the feature in the future, he says the company will let customers opt in and better explain why the feature is useful.

According to Sullivan, Uber is committed to user privacy, but has suffered from a "lack of expertise." Additional changes to improve privacy, security, and transparency at Uber are said to be in the works and coming in future updates.

Tag: Uber

Discuss this article in our forums

Uber Updates With In-App Chat Between Riders and Drivers

Ride hailing app Uber today announced an in-app chat feature that lets riders and drivers communicate with one another without leaving the app. Uber said this update allows drivers to better communicate with riders when sudden road closures or other delays happen en route to the rider's location.

Riders can also send chats to drivers to indicate where they're waiting for the car, or give a distinct piece of clothing or accessory to allow the driver to easily identify them.


To do so, riders can navigate to the Uber feed, tap "contact," and then tap "Chat," and when the driver gets the message the app will read it aloud to them automatically so they aren't distracted. A one-tap response feature sends a quick thumbs up to the rider so they know their message was read.
Every great ride starts with the pickup, so we’re always thinking about ways to make the pickup experience as frictionless as possible for riders and drivers alike. That includes helping riders and drivers connect should they need to get in touch with one another to solve for things like road closures, or to just provide information on their exact location.

So we’re adding a way for riders and drivers to chat right in the Uber app. It’s now easier than ever to get in touch.
Speaking with TechCrunch, Uber product manager Jeremy Lermitte said this will help keep user data more private, because drivers and riders won't have to share personal contact information outside of Uber. Additionally, the company is considering adding the chat feature into other apps, including UberEATS.

In-app chat is rolling out globally over the coming weeks to all Uber riders and drivers, and the company described the update as a "first step" towards introducing more communication and messaging experiences within its app.

Tag: Uber

Discuss this article in our forums

Uber’s In-App Tipping Feature Expands to 121 Cities Across North America

Uber in June announced plans for a "180 Days of Change" initiative that added a new long-desired tipping feature for drivers.

Tipping was initially limited to Seattle, Minneapolis, and Houston, but Uber said tips would be available to all U.S. drivers by the end of July, and the company is making good on that promise.


Starting today, tipping is rolling out in 121 cities across North America, including New York, San Francisco, Los Angeles, New Orleans, Philadelphia, and several cities in Canada. TechCrunch has a full list of all of the areas where tipping is now available.

The tipping feature will continue to expand to additional cities throughout the month of July, and Uber says it is still planning to have the feature available to all U.S. drivers by the end of the month.

Tips are optional for Uber riders, and the tipping screen will show up after a driver has been rated following the conclusion of a ride. Passengers have up to 30 days after a ride to provide a tip, and there are three custom preset tipping amounts ($1, $2, and $5) along with an option for a custom tip total.

Uber long resisted tipping even as competitors like Lyft implemented tips for drivers, with the excuse that it kept the service hassle-free. Uber is now aiming to bolster its public image and improve working conditions for drivers through the addition of tipping and other "180 Days of Change" features, such as a per minute waiting fee for riders, a shorter cancellation window, and a new Driver Injury Protection insurance option.

Tag: Uber

Discuss this article in our forums

Uber Users Can Now ‘Request a Ride for a Loved One’

Uber yesterday introduced a new ride-hailing feature in its mobile app that lets users request a ride for a friend or family member in a different location.

Uber announced the news in a blog post on its website, suggesting the feature would let users "request a ride for a loved one" such as a senior with limited mobility who doesn't have an Uber account or a smartphone.
Now, when you set the pickup away from your current location, we'll automatically ask whether the ride is for a family member or friend. You can then select the rider from your address book, set their destination, and request the ride on their behalf.
Once the ride is on its way, the loved one receives a text message with the driver's details and a link to track their route. The feature also includes an option for the rider to contact the driver directly, and vice versa.

The feature is available now in over 30 countries, with more coming soon, according to Uber. The Uber app is a free download for iPhone available on the App Store. [Direct Link]

Tag: Uber

Discuss this article in our forums

Uber CEO Travis Kalanick Resigns

Uber founder Travis Kalanick has resigned his position as CEO, following a series of controversies and scandals that have recently dogged the ride hailing company.

Five major investors demanded Kalanick's immediate resignation on Tuesday in a letter delivered to the chief executive, according to The New York Times. After "long discussions" with some of the investors, Kalanick agreed to step down, but will reportedly stay on Uber's board and continue to hold the majority of voting shares. Kalanick recently took a leave of absence following the death of his mother.

Kalanick at LeWeb Paris (Image by Adam Tinworth)
"I love Uber more than anything in the world and at this difficult moment in my personal life I have accepted the investors request to step aside so that Uber can go back to building rather than be distracted with another fight," Mr. Kalanick said in a statement.
Uber's board said in a statement that Kalanick had "always put Uber first" and that his resignation would give the company "room to fully embrace this new chapter in Uber's history." An Uber spokesperson declined to comment further.

The ride-hailing service clearly hopes that news of Kalanick's resignation will be perceived as a company reboot, as it attempts to revive its tarnished image following multiple controversies over recent months.

Just last month it was revealed that the Department of Justice is investigating Uber over its use of "secret" software that allowed its drivers to operate in areas where the company was banned or restricted. The so-called "greyball" software is said to have allowed the company to identify undercover officials and block them from booking rides, in order to prevent them from proving that Uber was operating illegally.

In April it emerged that Apple CEO Tim Cook threatened to pull Uber's app from the App Store in early 2015 after discovering that it was secretly "fingerprinting" iPhones that used the app. Uber said it used the identification method to prevent fraud, despite knowing the tactic is a clear violation of Apple's app privacy guidelines. The revelation came in a New York Times article detailing the ride-hailing service's history of controversial business tactics.

Tag: Uber

Discuss this article in our forums