Cyber Incident Victim: 13cabs
Date:
Mar 2025
Location:
Australia
Summary
The organization became aware of suspicious activityindicating that some app user accounts had been compromised, likely using data obtained from the dark web. It forced password resets for the initially identified accounts and later expanded the resets after discovering that about one percent of all accounts were affected, while engaging external cybersecurity experts to investigate and secure the system. The accessed information included usernames, phone numbers, addresses, and eligibility indicators for a subsidy scheme, but no payment card or bank data was taken, and the organization notified the relevant privacy regulator and law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 14 March 2025, 13cabs became aware that some of its 13cabs and Silver Service app user accounts were potentially compromised through a sophisticated unauthorised type of suspicious activity, later referred to as the Unauthorised Activity, which was likely undertaken using data sourced from the dark web. Upon detection, the company promptly forced a password reset for all accounts that were initially identified as affected. Despite this initial response, further analysis revealed that the number of impacted accounts had risen to approximately 1.1% of the total user base, prompting an immediate second round of password resets for the additional accounts identified. External cybersecurity specialists were engaged to conduct a thorough investigation and to assist in securing customer accounts. The company also began working with technical and legal experts to fully understand the scope of the Unauthorised Activity and to determine any necessary containment measures. As part of its regulatory obligations, 13cabs notified the Office of the Australian Information Commissioner of the incident and indicated that law enforcement agencies would be informed as the investigation progressed. The organization committed to providing updates should any new information emerge once the investigation is complete.

The information that was potentially accessed during the Unauthorised Activity included usernames, which may correspond to users’ actual names, phone numbers, physical addresses, and, for some accounts, an indication that the user is eligible for the Taxi Subsidy Scheme. The company explicitly stated that no credit card or bank account information was taken in the breach. The potential exposure of personal identifiers such as names, phone numbers and addresses raised concerns about possible misuse, although the article does not detail any observed misuse of this data. The disclosure of eligibility for the Taxi Subsidy Scheme could reveal socioeconomic information about affected users. The breach impacted a measurable fraction of the user base, quantified at roughly 1.1% of all accounts, indicating a limited but notable scope. The company’s communication emphasized that the investigation was ongoing and that the full extent of any damage remained under review.
To assist affected users, 13cabs notified them via SMS and email and reset the passwords of every account identified as compromised. Technical experts were tasked with identifying accounts that had been used to facilitate unauthorised access through the app, and the company stated it would contact each user identified in this role and provide a full refund if any unauthorised access had occurred through those accounts. The engagement of external cybersecurity specialists continued alongside internal efforts to ensure the security of customer accounts and to complete the investigation. The company maintained that it would keep users informed as the investigation proceeded and would provide further information if the situation changed. No additional details about the attackers, their motives, or the specific methods used beyond the reference to dark‑web sourced data were disclosed in the source material. The narrative concludes with the company’s commitment to protect personal information and to act within its reasonable control to prevent similar incidents.
