Hi everyone,
Having just dealt with 24hrs of hell after my account was hacked, and having the same experience as many of you in terms of the absolute TERRIBLE support from Airbnb, I thought I'd share some tips here.
1) HOW THE HACKER GOT INTO YOUR ACCOUNT
It's important to understand how this is happening so that you can prevent it happening again. Hackers are gaining access to our accounts because they have our email address and Airbnb password. Sadly, and quite honestly pathetically in 2019, Airbnb does NOT support proper 2-factor authentication - so all a hacker needs is your email address and password. They can get this in many places, because unfortuantely many people use the same password for multiple logins. If you have ever re-used a password for more than one website, then this is probably how the hacker can log in as you. There have been MANY websites and services that have been breached over the last few years, so it's quite likely that your email address & password combo is out there. Check out a website called "have i been pwned" to find out. Either way, NEVER USE THE SAME PASSWORD TWICE.
Keep in mind that there are multiple ways that you can log in to Airbnb. For instance, I was using Facebook to log in, and have always had a random Facebook password and 2-factor authentication turned on for Facebook - so I thought I was safe. However, I forgot that Airbnb itself also had a password - which I was never using and had completely forgot I'd set. As a result, it was a password I created years ago... and was freely available on the internet (again, you can see if your passwords are already public at the "have i been pwned" website).
Finally, as has been mentioned in this thread, another way to gain access is through phishing, whether digital (fake login screens) or human (fake support calls). For many people in the thread, this seems to not be the case, but I'm including it here for completeness.
Basically, the hacker knew one of your log in combinations - whether that be Facebook or Google or Airbnb. And if you ever reused any of those passwords elsewhere, it's highly likely that your email/password combination is already public. Change your passwords to be random, never re-use them, and enable 2-factor authentication whenever possible. We need to pressure Airbnb to get PROPER (not "automatic") 2-factor authentication, so I've written to tech news outlets about this ordeal too. Right now, Airbnb only uses 2FA when they detect a problem, which in my case (and many others) they clearly failed to do. This is bad - 2FA should ALWAYS be needed.
Use an app like 1Password or Dashlane or Apple Safari/iCloud to manage your passwords so that they can be complex and random for every website and service you use.
2) HOW YOU CAN GET YOUR ACCOUNT BACK
Airbnb support is TERRIBLE for this. I was hacked 24 hours ago and have heard NOTHING back from my multiple calls to Airbnb. I'm still shocked at how bad they are. So while I STILL wait for them to respond, here's how I got my account back. I had connected my Google and Facebook accounts to Airbnb as part of the verification process, as I'm sure many of us have. When the hacker changed my email address, I got a notification at my email address saying that it had been changed. As soon as I saw that, I went to Airbnb and tried logging in with Facebook. I couldn't - looks like the hacker had removed it.
BUT they hadn't removed my Google account, which still let me log in! I was able to quickly cancel some of the booking that the hacker was making, and add my phone number back to my account. This let me then use the "I didn’t do this—review my account" link that was in the automated "email address changed" email, bcause now I had a way to verify that I was me again (they sent a message to my phone).
However you end up getting access to your account again, make sure you add your Google and Facebook accounts (each of which should have 2FA enabled!) so that you have this backup option in the future.
Obviously change all your passwords as soon as you're able to!
3) WHAT TO CHECK FOR WHEN YOU REGAIN ACCESS
Hackers are using people's Airbnb accounts for a lot of things. Here's a checklist of what you need to look for once you get your account back:
a) New bookings as a guest at other people's homes.
b) New bookings at your home.
c) Your email address.
d) Your phone numbers.
e) Your connected social/Google accounts.
f) Your booking permissions - make sure they didn't add someone who can book trips for you.
g) Your co-hosts - make sure they didn't add co-hosts to any listings you're hosting.
h) Your host payout settings - make sure your money is still coming to you!
i) Your guest payment settings - make sure they haven't added stolen credit cards, since I'm sure you won't want to accidentally use them.
j) Your photos.
h) Your uploaded ID, if you have one - make sure they can't pretend to be you to regain access.
I hope this helps someone! Best of luck. And Airbnb, if you ever read these comments, please FIX YOUR 2FA AND YOUR CUSTOMER SUPPORT! There needs to be a hotline for hacked accounts!