Uber accounts can be stolen, trail could lead to the dark web

CHICAGO (WLS) -- Your Uber account can be stolen, and then used by a stranger anywhere in the world, and you have to deal with getting the bill reversed.

The I-Team responded to two consumers who say it happened to them, and how their accounts may have been sold on the dark web.

"You don't think it will be you," Stacy Wimunc said.

Wimunc said she was relaxing on her Orland Park couch while someone else was using her Uber account 900 miles away.

"I logged onto my Uber app and saw that the charges were in Georgia," she said.

"Uber ride, Uber, ride, Uber ride and I said I think someone got into my account," said Philip Kirschner of Naperville.

The same thing happened to Kirschner. But the person using his Uber account wasn't even in the United States.

"London and the Netherlands," Kirschner said. "Great British pounds and 11.70 Great British pounds."

It's unclear how their accounts were compromised, but the I-Team found online forums where people claim to sell Uber accounts.

"I saw the guy's name and took a screen shot of that and have the guy's name email and phone number. And before I got a chance to get a hold of Uber the guy changed my password and I got locked out," Wimunc said.

Because they were locked out, they couldn't contact Uber the app. In addition, Wimunc and Kirchner said they weren't able to get accounts back through contacting Uber online and the rideshare giant has no customer service phone number.

"They are not taking responsibility for what happened and they are not fixing my account," Wimunc said.

William Caput, an "ethical" hacker and tech security expert, has an idea of how these accounts came to be compromised.

"Uber was breached about two years ago," Caput said. "And so hackers have access...to accounts with usernames and passwords and they've been now selling them on the dark web. So you can go on the dark web and purchase verified working Uber accounts."

Caput said Uber could have done more in the wake of the hack.

"They should have forced a password change on every single user," he said.

However, Uber told the I-Team that "ongoing security monitoring has found no evidence that recent issues with individual accounts are related to the incident that occurred in 2016" and that the "2016 breach did NOT include a compromise of individual accounts."

But if we rewind to almost a year ago, Uber admitted to knowing about the hack for almost year without notifying customers or drivers and revealed that hackers were able to download the personal information of 57 million Uber users around the world including names, email addresses and mobile phone numbers. But said it had "assurances" that the downloaded data was destroyed.

Uber insists that hackers may breach other companies and then see if the stolen passwords work on Uber accounts. They added, "...this is why we designed our accounts with security in mind to protect the payment info & refund riders when unauthorized trips happen."

"I would like to see Uber become more accountable to their customers," Kirschner said.

Kirschner was given a $50 dollar Uber credit. He and Wimunc were not held responsible for those fraudulent trips.

After the I-Team became involved, Uber helped both of them regain access to their accounts. However, both said they'll find a new way to get around.

"I had to change all of my passwords because they have my email, they have my name, they have my phone number," Wimunc said.

To prevent this from happening to you, experts say you should change your usernames and passwords regularly on all of your rideshare accounts. Do no use the same passwords.

Uber stressed that customers not share their passwords and they say customers can still contact their support team online if they have been locked out.