At just after 2 a.m. on Tuesday, someone -- I like to imagine a young man -- left a house in a quiet residential area of Brisbane, Australia and got into an Uber car, traveling 9 miles before being dropped off at another house.
Meanwhile, 8,200 miles away in Austin, my iPhone, buried inside my purse while I was at work, informed me the total charge for this ride would be $25 Australian dollars.
When I finally looked at my phone a half-hour after this ride took place, it took me a minute to figure out why I was getting so many notifications from Uber, since I have never actually used the service. (I do use Uber Eats.)
Then it hit me: My Uber account had been hacked. I had heard of these "ghost rides" before, where someone in a far-flung locale accesses your account to go on a joyride and sends you the bill.
This all-too-common problem has escalated in the last two years as Uber and Netflix passwords have become more valuable on the black market than credit cards, which have stronger identity theft protections.
I contacted Uber right away through the app, which was familiar enough with this problem to send me to "What to do if your account has been compromised" page. Uber suggests changing your password (which I did). I also sent them a message telling them I had been erroneously charged and within 24 hours I was reimbursed for the Australian joyride.
But I was still confused as to what actually happened. Did someone hack into Uber's customer database? Were all my passwords listed in some dark corner of the Internet? Was my credit card information also at risk?
Fortunately, Austin-based CSID, an identity protection firm, was able to help me answer these questions.
In a conference call from London, Adam Tyler, the chief innovation officer for CSID, said my password was likely stolen from another third-party site, and not from Uber. Once the thief figured out my name, email and password for one site, he or she was able to try it with other services, like Uber, Tyler explained.
That valuable account information is then sold on online black markets. Tyler pulled one up on his computer as we spoke on the phone. (I was linked to his computer so I could see his screen.)
Without needing any particular technical expertise, Tyler was able to punch in the name of a website and pull up a list of stolen credit cards and account information for sale. It functioned much like a black market eBay, with a section just for stolen credit cards and even customer reviews.
He showed me how doing a simple search on this site for "Uber" quickly pulls up ads for stolen Uber passwords. One was selling for $1.50. He said it's gotten so easy to find, buy and use stolen passwords that a child could do it.
"For them, it's like a game," Tyler said. "It's free money, easily accessible. Teenagers know this exists, I guarantee it."
It was clear that I had made two fatal flaws when protecting my own identity. The first was that I was using the same passwords over and over on multiple accounts. But I had also missed warning signs.
Confession: I've known for months that someone was accessing my HBO Now account because the list of recently watched shows or movies included things I had never watched, like "Pitch Perfect 2."
But I had not gotten around to changing my password. Since the person using my HBO Now wasn't doing any financial damage, it didn't strike me as urgent. I asked Tyler if the HBO Now breach and the Uber one were possibly related, since I had used the same password for both.
"1 million percent yes," he said.
But what responsibility do companies like Uber or HBO bear on this, I asked him. Shouldn't Uber have noticed, using data analytics, that someone based in Austin was likely not taking her first Uber ride in Australia? Or shouldn't HBO care that my account was seeing unusually high levels of usage and notify me?
Tyler said it would be costly for Uber to institute stricter security controls, and that ultimately the responsibility fell on me to do a better job of changing my passwords. "We're going to have big problems if Uber tried to start restricting or logging out users," Tyler said. "They would go to Lyft or somewhere else."
If you want to avoid my fate, I asked Tyler for some advice on how not to get hacked:
1. Don't use the same password for every online account. In an ideal world, every account should have a separate password. That means your email password should be different from the one you use to check your airline rewards points.
2. Change your passwords once a year. Even if you are using different passwords for every account, you should still change those passwords about once a year.
3. Protect the devices your passwords are on. If you mainly use your phone or tablet to access your various online accounts, you might want to look into anti-virus apps for your phone. "We've seen a huge explosion in Android malware," Tyler said. "We have to be careful about the devices we use and how we use them."
4. Use an iPhone. Because Android phones are built using an open system, and iPhones have a closed system, Android phones are just easier to hack. Tyler said he uses an iPhone for this reason.
Editor's note: This story was updated to correct an error in the spelling of the last name of Adam Tyler, chief innovation officer for CSID.