Uber on Tuesday came clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of its customers and drivers.
The heist took the names, email addresses and mobile phone numbers of millions of riders around the world and the driver's license numbers of 600,000 Uber drivers in the U.S.
Cybersecurity experts tell NBC 5 Responds that an email address, phone number and text message are all hackers need to get into your email.
Hackers go to your email provider, enter your email, and click "forgot my password."
Your email provider will typically offer to send a text to your phone with a code.
As soon as you get that text, the hackers send one, too, pretending to be your email provider asking you to enter the code. Many of us do it, thinking it's legit.
But what you've really done is give the hackers access to your email.
Once inside they have all of your information, like which bank you use and who your credit card providers are.
They gain all this simply from knowing your email, phone number and relying on you to answer a text.
Experts say you should never text anyone a code sent to you from your bank. That's a big red flag.
Those codes are only generated if you initiate them.
Uber waited until Tuesday to begin notifying the drivers with compromised driver's licenses, which can be particularly useful for perpetrating identify theft. For that reason, Uber will now pay for free credit-report monitoring and identity theft protection services for the affected drivers.
So far, there's no evidence that the data taken has been misused, according to a Tuesday blog post by Uber's recently hired CEO, Dara Khosrowshahi. Part of the reason nothing malicious has happened is because Uber acknowledges paying the hackers $100,000 to destroy the stolen information.