A security flaw on the Lyft app lets some users access the accounts of others and exposes sensitive personal and credit card information.
The flaw has to do with recycled phone numbers, according to a report by Ars Technica, which quoted a Lyft customer named Felix who discovered his app had uploaded personal information for another of the car service's riders. The information included the name, credit card information (the last four digits of the account) and email of the person whose old T-Mobile phone number was reassigned to Felix. Felix told Ars Technica that he could see the other customer's ride history as well.
The report quoted a Lyft spokeswoman as saying that the company is “aware this happens on occasion, though it is extremely rare as there are safeguards in place to prevent unauthorized activity on these recycled phone number accounts,” though she didn't specify those security measures.