My Airbnb account was hacked!
The summary:
- Someone figured out my password and let themselves into my account.
- Created a “Team”
- Added themselves as a “Team Member” and gave themselves all the permissions
- Created five new listings that directed potential guests to contact them off of Airbnb (on Whats App)
Check your accounts right now! Check your “Team” settings and check your log-in activity for computers you don’t recognize.
The whole story:
So, I was woken at 6:30 am by an Airbnb alert stating that "Your listing has been published. It's now live on Airbnb and can be found and booked by guests". I'm not a morning person, so while I'm staring at my phone in a fog of confusion, four more identical alerts popped up. Suddenly I'm hosting "Best location in Rayol, newly house & pool" and five other houses like it in France. I also see that there's a sixth listing in the process of being created. This one is offering my home in Baltimore, where I list individual rooms, as a whole house rental! The one that I opened up was fully formed listing that they clearly stole from someone in France, but it asked the potential guest to contact the "host" on their Whats App account in the description. So, instead of scamming host by booking outside of Airbnb, they are trying to do it to the guests now.
Now sufficiently alarmed, I roll out of bed and get on my iPad. While I'm trying to find some way to contact customer support, I realize I don't have time for that because I'm battling a hacker in real time. As I started to delete the new listings, I get an inquiry from "Anastasia" for one of them, which I ignored until after I finished deleting all the active listings (more on this later). I found that there's no way to delete the listing that's in the process of being created, so I then changed my password thinking this would lock out the hacker.
I admit that my password was weak. Seven letters and a number. It was one that I had for the past 10 years. I believe I turned on dual factor authentication in the process, or it was turned on for me. It was confusing so I'm not sure. In any case, it's on now.
I contacted customer support via online chat which I eventually got to after struggling with the Airbnb Bot and eventually typing "I need to speak to customer support". I got a real person soon afterward and once I explained the situation and she looked at my account, she said she'd "forward me to the correct department". Then nothing until I received an email three hours later:
"Hello Thomas,
I’m Jennet with Airbnb. Thank you for securing your account with a new password.
We’ve reviewed your account and confirmed that the actions that you took have successfully prevented further unauthorized activity.
Thanks,
Jennet"
Yeah cheers thanks a lot... While I was waiting I noticed I was locked out of my account for a short period. After that I saw that they had deleted the one listing-in-progress that I couldn't. However, she was wrong. My account was still not secure.
Later that afternoon nine more new listings popped up. These were all just started when I found them. This time I was on my desktop, where there are a lot more menus available to us. As I was poking around to see how this could have happened after I changed my password (I changed it yet again), I found "Activity "NEW"" in the menu that popped down when I clicked on my profile pic. This is an activity log for all changes made to the account that also lists who made them. The new listings were created by someone named "Letty". There's someone else in my account! I remembered that we could add a co-host to our accounts but I never looked into it. I clicked around some more and found "Teams", and there it was. I was now part of a team called "Franc" and the other team member's name was "Letty Heb" Letty had a profile pic, an email address, her very own password to access the account (this is how she continued to have access even after I changed the password), and all the permissions checked off, including creating listings.
I deleted her and the team. So I think I got it under control. Interesting that it escaped the notice of customer support. After all, it was Letty that created the listings I was complaining about?
And... it turns out that I unwittingly communicated with Letty. Remember Anastasia that inquired about one of the fake listings in France? While I was waiting to hear from customer support I answered her to let her know that the listing was a scam and to not contact the "host" on Whats App. At some point I was able to see the last name on the account (I don't know why, maybe she actually booked it at some point?)... I was talking to Anastasia Letty. I guess she saw that I was taking action and she sent me an inquiry to feel me out? Creepy.
I’m still trying to get through to Airbnb Customer Support to report the second hack and alert them to the vulnerability that “Teams” created.
