Saini characterized Uber's response as dismissive, although Uber is telling a different story. The ridesharing company initially told him that the issue wasn't "particularly severe" and was expected, marking it as "informative" -- that is, notable but not pressing. When we reached out to Uber, however, it said that it had fixed the flaw (Saini had previously been informed about this) and that it applied the "informative" label because it was already working on a solution.

The odds are that your data is safe as a result. All the same, this illustrates the fragility of two-factor security. It's much better than a basic sign-in, but it can be defeated in the right circumstances. You still need to keep an eye on your account activity in case intruders are particularly determined to hijack your account.

Update: Saini disputed Uber's claim that it notified him about the fix, and said that a solution only showed up about an hour after ZDNet's piece.