Uber and Lyft Leaked Drivers' Social Security Numbers to Facebook via Tracking Pixels on Sign-Up Pages

Northeastern University researchers discovered that Uber and Lyft inadvertently shared unsalted hashes of gig workers' Social Security numbers with Facebook/Meta through tracking pixels embedded on driver registration web pages. The tracking pixels, designed for advertising attribution, captured form field data including SSNs as workers submitted background check information during the sign-up process. Why it matters: Drivers' most sensitive personal identifier was transmitted to a third-party advertising company without their knowledge or consent, so those SSN hashes could potentially be cross-referenced with other data breaches to identify individuals, so drivers who already face financial precarity are exposed to identity theft risk, so the breach demonstrates that gig platforms treat worker data as a marketing asset rather than a protected trust, so workers have no practical ability to audit or control how platforms handle their personal information since they must accept all data practices to access the platform. The structural root cause is that gig platforms embed third-party advertising and analytics trackers throughout their web properties including sensitive registration flows, and because gig workers are independent contractors rather than employees, they are not protected by employer data protection obligations and have limited legal recourse under most state privacy laws.