It seems through Lyft's new share link you can pull the names of all the users. Ex: https://www.lyft.com/invited/MATT2398. Decrementing the last four digits exposes other users. You can try this with other names. Not sure if this is a vulnerability since it's just names. Surprised they didn't hash them.