Criminals are exploiting the news that Uber suffered a serious data breach to inflict more harm on Uber customers. As if it the pilfering by hackers of the names, email addresses, and mobile-phone numbers of 57 million customers of the ride service as well as the driver's license numbers of 600,000 Uber drivers was not bad enough, criminals are now crafting sophisticated phishing emails that prey on the same group of people.
There are multiple variants of the scam -- and surely more to come.
Various realistic-looking phishing emails appear to come from Uber and apologize for the breach. Some request that the user reset his/her password so as to ensure that any passwords compromised in the breach cannot be used by criminals. This may appear to be sound advice - and it actually might be if it were not for the fact that the password reset link provided in the email directs clickers to a bogus Uber site run by criminals in order to collect passwords. Of course, the site asks you to enter your "old password" along with your desired new password.
Another variant of the phishing email contains a profound apology for the breach, and offers the customer a $50 credit towards rides on Lyft, Uber's main competitor in many markets. While anyone who spends a moment thinking about the offer should realize that it is likely bogus - why in the world would Uber be both providing its primary competitor with revenue and directing its already upset customers to that primary competitor - people have a tendency to act without thinking when offered "free money" which they think may no longer be available if they do not act quickly.
Other variants of the phishing scam already exist, and more will continue to appear in the upcoming weeks.
So, if you are an Uber customer -- or ever were an Uber customer -- stay vigilant and suspect that any emails that you receive either asking you to take action to protect your Uber account, or promising you compensation for the breach, are likely scams. Of course, it is a good idea to change your Uber password - but do so by using the app on your phone, not by clicking links in an email that was sent to you by someone of whose identity you simply cannot be certain.