Uber has revealed that 2.7m UK users of its app were affected by a mass data breach in 2016, which the company disclosed last week.
A ransom of $100,000 (£75,500) was paid to hackers so they would delete the data and keep the security lapse quiet.
Uber said user names, email addresses and mobile numbers of customers were hacked.
The app is used in towns and cities across the UK, with 3.5 million passengers and 40,000 drivers in London.
Sadiq Khan, London’s Mayor, said: “This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals.
“Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.
“The public will want to know how there could be this catastrophic breach of personal data security.”
Last week, Uber disclosed that 57 million people were hit by the breach, but did not say how many UK customers were affected.
Uber said that it did not believe any individual customers needed to take action.
“We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection,” the company said in a statement.
The news comes after what has been a tough year for the company.
In October, Uber launched an appeal against Transport for London’s (TfL) decision to deny it a new operating licence in the capital on the grounds of “public safety and security implications”.
A spokesperson for the National Cyber Security Centre (NCSC) said: “We assess that the stolen information does not pose a direct threat to people or allow direct financial crime.
“People who are concerned should continue to be vigilant and follow the advice on the NCSC website.”
The Information Commissioner’s Office has previously said that it is hugely concerned about Uber’s data protection policies and ethics.
James Dipple-Johnstone, deputy commissioner of ICO, said: “On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls, appear more credible. People should continue to be vigilant and follow the advice from the NCSC.
“As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures, and the type of personal data that has been compromised.
“We would expect Uber to alert all those affected in the UK as soon as possible.
“We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld.”