Uber customers claim their accounts have been hacked by Russians after apparently being billed for taxi journeys in roubles.
Hundreds of customers have complained on Twitter that they have received bills in Russian currency, despite never taking journeys in Moscow or St Petersburg.
Some claim their data was then sold on the dark web.
According to the Times, more than 800 Twitter users in Britain and the US have complained about a breach, with an increase in reports in April and May. But experts say the figure could be much higher.
The revelations come after it emerged that Uber had hushed up a mass data breach that potentially saw British customers’ personal details fall into the hands of cyber criminals.
Downing Street said the hack, which affected 57m customers and drivers worldwide, had not been reported by the taxi-hailing firm.
It is not clear whether those who are complaining of being hijacked on Twitter were affected in that hack or in a separate attack.
In April, one user in Leeds wrote: ‘I’ve been hacked, someone in Moscow has used my account and charged my card £54.55.’
The following month, Cass Hoskins added that her brother’s account had been hacked, with taxi rides in Moscow billed to his account.
In July, a user called Rachel Beal tweeted a picture of her account, which showed a £278 bill from Russian transactions which had not been repaid.
Meanwhile, Anthony Glees, of the University of Buckingham, said: ‘Given the obvious level of organisation and the patterns of fraudulent use it seems reasonable to believe that Russian hackers obtained these users’ data and have traded it on the dark web.’
Downing Street said the hack had not been reported by the taxi-hailing firm after it hushed up the scandal
And yesterday, Lauren Rees, from Bromley in south London, tweeted: ‘I knew I wasn’t going bloody crazy when my details kept changing to a Russian phone number and details Uber support were not helpful.’
Details of last year’s hack came last night in an extraordinary admission by the US firm’s chief executive.
He revealed a third-party server had been infiltrated in late 2016, stealing information included names, email addresses and mobile phone numbers.
They had also managed to get the names and number plates of 600,000 drivers in the US.
Meanwhile, security services and the information watchdog have been left scrabbling to assess the scale of the damage amid warnings Uber’s secrecy could result in ‘higher fines’.
Prime Minister Theresa May’s official spokesman said: ‘These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information Commissioner’s Office, to investigate if and how this breach has affected people in the UK.
‘It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.
Uer chief executive Dara Khosrowshahi said there was ‘no indication’ trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers
‘What we do know is, based on current information, we have not seen evidence that financial details have been compromised.’
He added that Uber ‘did not notify individuals in the UK, the UK Government or UK regulators’ at the time the hack was discovered in October last year.
The Information Commissioner’s Office (ICO) warned Uber it could face fines, saying the incident raised ‘huge concerns around its data protection policies and ethics’.
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
James Dipple-Johnstone, deputy information commissioner, said the breach raises ‘huge concerns’
By then, company executives had dressed up the breach as a ‘bug bounty’, the practice of paying hackers to test the strength of software security, according to The New York Times.
James Dipple-Johnstone, deputy commissioner of the information watchdog, said: ‘Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
‘It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
‘If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
He added: ‘Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.’
Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog there had been ‘no indication’ trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.
He wrote: ‘At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals.
‘We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.’
Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.
‘None of this should have happened, and I will not make excuses for it,’ he wrote.
‘While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.’
Data protection lawyers at the Leigh Day legal firm said a ‘huge number of claims’ could be brought against Uber by its customers as a result of the security failing.