I was sitting on the floor of the San Diego Convention Center a few weeks ago when my phone got a strange notification - "Your Uber is arriving". Since I did not order one, I picked up my phone to get more information. The Uber was arriving in downtown Toronto. Again, I'm in San Diego. This spells trouble.
Turns out my Uber account had been hacked. I was already in my app so I quickly attempted to change my password. Too late. The hacker added his email to the account and changed the password before I could.
WHAT'S AT STAKE?
At first I did not think this was a big deal. I mean how many Uber rides can you really take? The account is set to my personal funds, but I had switched it to my Stamm credit card while in San Diego for work for Stamm Media. I contacted Uber Support both on twitter and via their support page indicating my account had been hacked.
The main problem was this hacker knew what he/she was doing. They didn't take me off the account, just added their email as the primary. This mean I couldn't log into my account using my email since it was tied to an existing account. I tried to sign in using my phone number and it said there was no Uber account associated with that number (since the hacker was using their own phone number). Any 'Forgot Password' and trip receipt emails would be sent to the hacker's email as well.
WHEN DID I GET IT BACK?
Approximately 6 hours after I reported it, my account was back in my hands. Uber Support was great once they understood what was happening (the situation was difficult to explain without knowing about the hacker switching primary emails but leaving my email still listed).
In addition, they knew my personal email account and a password I've used repeatedly in the past. Again luckily, I wasn't using the same password for Uber and my email.
HOW CAN YOU PROTECT YOURSELF?
Passwords, passwords, passwords. You have to consistently update them! I've been one of the few who didn't totally buy into that. My Uber password was a fairly simple combo of numbers and letters and went unchanged for 2 years. If I would have had the same password for my email, I'm not sure how bad the total damage would have been to my other linked accounts. The hackers also could have used my email to set up attacks on my friends, family and other contacts.
I used this mishap adventure as a jumping off point to revamp all the security settings in my life. I started using a password manager called Dashlane (FYI not being paid to mention them, but I'm willing to be paid if they offer). All I have to remember is one master password and they encrypt the rest.
Again, I was fortunate that the damage was limited in this situation. Others might not be so lucky.