A bizarre security flaw involving recycled phone numbers is allowing some users of the taxi-hailing app Lyft to access other riders’ accounts, exposing names, e-mail addresses, complete ride histories, and credit card information.
The bug was brought to Ars’ attention by a Lyft user named Felix, who says he signed up for the service for the first time earlier this month. He went through the normal registration process, entering his name, e-mail, credit card, and a new phone number, which was recently assigned to him by T-Mobile.
But Felix realized something was wrong when drivers kept addressing him by someone else’s name—a woman’s name he didn’t recognize. At first, he brushed it off. “I was like, uhh no, it’s Felix. But whatever, you’re here,” he told Ars, recalling some confused moments during his first week using the ridesharing service.