Uber’s recently-disclosed security breach is terrible news for the 57 million drivers and users caught up in the hack. The information stolen isn’t terrible — mostly, just names, email addresses, and phone numbers — but Uber’s response to the attach has been the problem.

Even though the hack happened in 2016, Uber still hasn’t contacted the users whose data was stolen, and hackers are now taking advantage of that elementary mistake.

IT trainer and security consultant Dale Meredith posted an email he received on Twitter yesterday. It’s a classic phishing email that appears to come from Uber, but with a unique twist — it’s styled as the kind of apology email companies always send out after a data breach.

“Our deepest apologies,” the letter starts out in Uber’s recognizable font. It goes on to explain that “your information was, unforunately, confirmed to be part of the breach. Please click below to confirm you’ve received this message and change your password.” If you click on that link, you get a page that asks for your old and new passwords.

Once hackers have that information and your email address, they can get into your Uber account. And, because people are awful at recycling passwords across different websites, it also means that other accounts will probably be compromised with the “new” password too.

As ever, this is a valuable lesson to never click on links in security emails, but instead go through the company’s verified app or website instead. And, for Uber, it’s a wakeup call that they really need to start taking this thing seriously.

Chris Mills has loved tinkering with technology ever since he worked out how to defeat the parental controls on his parents' internet. He's blogged his way through Apple events and SpaceX launches ever since, and still keeps a bizarre fondness for the Palm Pre.