• Background Image

    Uber has an account security issue and it seems they want to ignore it

    November 27, 2016

November 27, 2016

Uber has an account security issue and it seems they want to ignore it

:: updated Dec 6, 2016 (see end) ::

Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk. This was brought further to my attention today when we were able to gain access to another rider’s account using a simple password reset.



  • Received over 200 emails from Uber trips completed in Kenya (we live in Australia)
  • Uber support fails to resolve the issue of a non-verified email account
  • We’re able to take control of the rider’s account using a simple password reset


Since July my partner has received over 200 messages in her Gmail account addressed to a rider in Nairobi, Kenya who sometimes completes trips several times a day. We live in Brisbane, Australia.

Uber account security issue - rider data

Uber Kenya Trip emails received

After being told by Uber’s Support that they are no longer willing to assist with the problem, we were able to login to the Kenyan rider’s account and view their personal details including:

  • full name
  • phone number
  • payment method
  • detailed maps of every trip they have taken since they started using the service, thus we can infer with high probability their home address and common travel destinations.
Uber account security issue - rider account details

Rider’s account details


How were we able able to do this?

By simply going to uber.com requesting a password reset. The only difference we made when doing this, was omitting the period my partner usually uses with her Gmail email address. Since Google does not differentiate Gmail email addresses with periods or letter case (an issue we highlighted multiple times with Uber support) we received the automated email to reset the password. We were instantly able to set a new password and login using the email address sans period, and the new password. We now have complete control of this user’s account in Kenya.

Uber account security issue - rider dataRider’s trip history

Uber support experience

Uber’s account policy not requiring a verified email address upon signup means anyone could mistakenly add an incorrect Gmail address to their rider account, which opens them up to this simple to execute privacy breach.

Uber’s help page suggests that they take security seriously, but the support experience tends to suggest otherwise. At first the constant barrage of emails was annoying, and we could have filtered the Uber Kenya emails straight to the Gmail Spam folder and moved on. However, it was the blatant security issue that prompted the ongoing back and forth dialogue with multiple people at Uber support, which has led to the writing of this post after we were able to gain another rider’s account so easily.

After countless emails over the past five months, Uber support have suggested filtering the emails to Spam (this will not solve the security issue) and even acquiring a new email address, which is frankly a ridiculous suggestion for a customer your company would likely wish to retain.


After this frustration, I decided we had to speak to someone locally. I searched LinkedIn for Uber staff located in Brisbane and connected with a few of them. I messaged Jess, from the Community Operations team who was responsive and keen to help, even while she was away from the office on leave. Jess forwarded the message to someone who would look into it, and after a few days the Kenyan completed trip emails stopped appearing.

A couple of weeks later, the emails started again, so we made again reached out to support unable to get any response. Again we had to message Uber staff via LinkedIn messages to restart communication. At this stage, Uber didn’t want to deal with the issue again and sent these messages suggesting to take the issue up with Google.

Uber account security issue - support response

After a brief response from us, support have marked the case ‘Resolved’, and reiterated they are not willing to help further, which they could simply do by reaching out to the Kenyan rider to ensure their email address is correctly verified.

Uber account security issue - support response NOT resolved


What does this mean now?

I have the ability to access to someone else’s account and private data, Uber needs to understand the issue here that there are likely many other similar cases that could occur with malicious intent, hence making this support case open for public viewing.

Uber’s support have ‘resolved’ the case, while another rider’s account security still remains compromised.

I welcome comments below and hopefully this gets to someone at Uber who either knows or cares enough to follow it up appropriately.


After referring Uber support to this article they deleted the other user’s account we had managed to access. I’m glad they did this as I felt uneasy having that access, however they’ve simply left it at that, and it is unlikely that any actual followup will occur with regards to how they manage their rider’s security. A shame, but not really surprising at this point.

  • Daniel, December 7, 2016 Reply

    Great write up. Unfortunately this is not surprising, and seen all to often. I for one have others register accounts using my email address on a regular basis. The users that use my accounts simply validate their accounts via other means, such as their mobile number, or no validation is required at all.

    I'm conflicted on who owns responsibility in these instances.

    On one hand, if Person A uses the email account of Person B (yourself) to avoid using their own email account, they invite ownership re-homing. I feel a reasonable amount of ownership when my email address is used, and i promptly reset 'my' password. Person A should find the magic of a dummy email address. Indeed it's not that hard. If Person A doesn't, if they use the account of Person B, account ownership, personally, becomes quite grey.

    I always use my identity, my details, when i register to use services, just as i would a gym membership. Why do we find it acceptable to be dishonest online? We shouldn't, it's unacceptable. But it happens... I feel no pity for these people though, and I hold the company with very little responsibility in most instances. It's akin to logging into a banking account at an internet kiosk, and leaving the console unlocked whilst going to the bathroom.

    Customers have responsibility for their actions.

    On the other hand, these systems can hold data that could put Person A at risk; such as financial, reputation, or safety loss. In these instances I do firmly believe that greater ownership should be held by the provider. In Uber's example, Person A's safety is at risk, as is their financial position. You know where they live, and a temporary Visa card could readily harvest their earnings. If more publicly known, this could be exploited more often than it is today.

    It's simple, password recovery should ALWAYS require validation via the same means as the original registration, and registration verification shouldn't be a discussion point within application design. Security questions, whilst having their weaknesses, also provide an alternate 'shared secret' that can be used for the same process. In any instance, it shouldn't be a 'click once' process to take account ownership as you have in this instance.

    In this instance, I call mutual responsibility. Uber need to up the ante on their controls, and their customer service.


  • hiphop greats, March 8, 2017 Reply

    I precisely hhad to appreciate you all over again. I'm not certain the things that I would have taken care of without the entife secrets provided
    by you directly onn such situation. It truly was a real hqrd case in my circumstances, but observing
    your specialized manner you treated thhe issue made me to cry for
    happiness. I will be happy for this assistance and in addition pray you know wat aan amazing job
    that you're undertaking educating the others through
    your web site. Most probably you haven't encountered
    any of us.

  • SEO UK, March 9, 2017 Reply

    Ⲏelⅼⲟ I am ѕo grateful I fоund үour webpage, I гeally found you by error, while I was researcching ⲟn Bing foг something else, Anyways
    I am here noow and woulɗ just ⅼike to saү thankѕ for a tremendous post
    and a all round intᥱresting blog (I ɑlso love thee theme/design), Ι don't havе tіme to гead through it аll att thе minute Ьut I havе
    book-marked іt and alsо added your RSS feeds, ѕߋ when I hage
    time I wіll Ƅe back to reaɗ а lot more, Plᥱase ԁo keeр up the awesome job.

  • cheap flyer printing nottingham, March 12, 2017 Reply

    May I simply say what a relief to discover someone thhat truly understands wyat they're talking about online.
    You detinitely realize how to brng a problem to light aand make it important.
    More people need to read this and understand this side of the story.

    It's surprising you aren't more popular given thqt youu surely possess the

  • spring bedroom designs, March 17, 2017 Reply

    Hi Stoill, that is lovely Hub; I used to be searching for some indoor crops to purify
    the air.

  • performance analyst salary nz, April 4, 2017 Reply

    The returns are not assured however linked to the efficiency of the underlying assets corresponding to equity or debt.

  • togel indonesia, April 14, 2017 Reply

    Hey there, I think your website might be having browser compatibility issues.
    When I look at your blog site in Chrome, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that,
    awesome blog!

  • quero ganhar massa muscular rapido o que devo tomar, May 12, 2017 Reply

    FIGO cicatriza úlceras dentre buchada e também duodeno,
    tal como úlceras varicosas nas pernas.

  • curso forex gratis portugues, May 12, 2017 Reply

    Miseros percentuais desde 466 % u loooooooco, 100M , junto a descontos e taxas praticadas hoje nas
    corretoras você possuem granjeio (=ou-) desde R$.13.000,00 meréis
    bem como assim mesmo menos experienciar que anunciar em relação a a receita pq vc
    acarretou uma comércio

  • the best baby gates, June 9, 2017 Reply

    Lindam safety gate for doorway or even stairs.

  • wholesale nfl jerseys, July 8, 2017 Reply

    Hmm it appears like your website ate my first comment (it was extremely long) so I guess I'll just sum it up what I submitted and say, I'm thoroughly enjoying your blog.
    I too am an aspiring blog blogger but I'm still new to the whole
    thing. Do you have any tips for first-time blog writers?
    I'd really appreciate it.wholesale nfl jerseys

  • sextante.info, July 15, 2017 Reply

    There are basically millions of game, video,
    movies and music to choose from. Micro drive mp3 players have rather more space for storing than flash memory gamers, varying
    from 5 GB to 10 GB. If we think about the fact that the
    common size of a melody is three MB, it outcomes that precise flash memory players can retailer
    between 80 and 1200 melodies.

  • https://hanoitransfers.info/, August 6, 2017 Reply

    If that's not sufficient, the Dallas Arboretum will celebrate 12 Days
    of Christmas with 500,000 twinkling lights.

  • Clearwater Dental, September 16, 2017 Reply

    Please let me know if you're looking for a author
    for your site. You have some really great posts
    and I think I would be a good asset. If you ever want to take some of the load
    off, I'd love to write some material for your blog in exchange
    for a link back to mine. Please blast me an email if interested.
    Many thanks!

  • homepage, October 9, 2017 Reply

    How you can foreign trade photographs from iphone 3gs in order to Personal computer?
    Your easy-guide workout implies an individual few ways to copy and transfer images by iphone 3gs for
    you to Glass windows 7/8/10/Vista/XP. Perfect by using I phone
    Seven (And also) as well as iOS 12.
    Using an apple iphone, we could capture terrific photos
    using the natural iSight video camera, particularly using the
    completely new iphone 4 Several Furthermore individuals are definitely that come with bringing pics using its implied dual video cameras.
    All of us additionally give up photographs coming from programs, by way of example, Internet explorer in addition to Email to your
    iphone 3gs. On the subject of earning photographs
    via iphone 4 for you to Microsoft windows PC, you’ll have to take a quick
    class. This post discloses to you Four strategies to change
    footage through iphone 4 for you to Windows Laptop or computer, including a couple
    conventional ways to get a hold of Photographic camera Throw photographs via iphone 4 to be able to Windows 7/8, and
    the other procedure for signific every one of
    the footage (rising Dslr camera Rotate, Photography Stream, Photo Stockpile in addition to
    Cds graphics) in order to Computer at the single check.

  • GROSIRCIMAHI.com, October 27, 2017 Reply

    In fact, white fared better inside survey than other colors
    combined. Thiss is particularly true shoulld you be looking
    at an item that iis similar on tthe one you originally chose.
    Deprnding on your comfprt and ease, you shuld determine an everyday discrepancy rate:
    maybe it's $5 or $10 or zero.

  • אישורי הגעה chair4u לחתונה מחיר, November 8, 2017 Reply

    It's genuinely very difficult in this active life to listen news
    on Television, so I simply use web for that purpose, and take the newest

  • DollySmall, November 15, 2017 Reply

    I have checked your site and i have found some duplicate content, that's why you don't rank high in google's search results, but there is a tool that can help you to create 100% unique articles, search
    for; Boorfe's tips unlimited content

  • estimulante natural masculino, November 20, 2017 Reply

    Se alguém quer para ser atualizado com mais quentes tecnologias então
    ele deve ser uma visita isto página web e ser atualizado o
    tempo todo. http://www.pautunado.com/

  • nhung con giap may man trong nam 2018, November 28, 2017 Reply

    It's remarkable designed for me to have a website, which is beneficial for my know-how.
    thanks admin

  • www.design-wristbands.com, February 7, 2018 Reply

    I'm more than happy to discover this page. I need to to thank you for
    yoour time for thgis particularly wonderful read!!

    I definitely appreciated every paet of itt and I have you bookmarked to check out new stuff on your blog.

  • satellite internet, February 26, 2018 Reply

    " These are the reasons why it is impossible becoming a great leader instead of be compensated in equal value for that value which you give. How about special slip-resistant shoes, sun screen lotion, hats or even deep-sea fishing supplies. The most successful industry coaches and mentors in leadership training and marketing teach this golden nugget: People buy you first.

  • porn, March 16, 2018 Reply

    I was wondering if you ever considered changing
    the layout of your blog? Its very well written; I love what youve got
    to say. But maybe you could a little more in the way of content so people could connect with it better.
    Youve got an awful lot of text for only having one or two pictures.
    Maybe you could space it out better?

  • Sam, March 17, 2018 Reply

    Really? I din't know about this uber security problem.

  • savingopusone.com, May 18, 2018 Reply

    What's up everyone, it's my first go to see at this site, and paragraph is really fruitful in support of me, keep
    up posting these types of content.

  • general contractors trinidad and tobago, May 22, 2018 Reply

    Portfolio Page - Make sure to include relevant
    details about the past projects as well. Working with integrated 3D software can provide individual elements, design interfaces, and handle
    specifics of each design element which has a click. For the former, the
    tarp is connected to the bed, while for your latter, the
    information is wrapped round the load.

Leave A Comment

Leave a Reply