@Clare0, unless you are not who you say you are you have no idea what the extent of the security breach is. If you've googled Airbnb account hacked lately, I think you'd see this is not a "here and there" situation. That said, there are a few reasons why you might not just do a "whole enchilada" style approach:
1. they are not stealing credit cards, they are diverting funds and breaking in to homes. This means that Airbnb doesn't necessarily need to report it to the credit card companies, is not a PCI issue, etc, so they are less likely to get caught. The resources credit card companies devote to those kinds of hacks are significant. They are avoiding that, which allows them to continue.
2. they likely just sold the data, rather than commit whatever crimes are necessary. if there were no big fish takers in the criminal world, which there might not have been given this isn't credit card data, they would have broken it up into smaller packages more affordable to smaller time criminals.
3. just because they have the ability to break in doesn't mean they themselves are able, or even willing, to do more than that. Hackers have areas of expertise and risk comfort levels just like everybody else in the world.
I would be asking myself far more important questions. Questions like if Airbnb, which lists itself as a technology company, took until April 2017 to institute such basic security measures as two factor authentication (tech talk for having to verify password changes and logging in from different devices), what else haven't they done? I'm sorry, that is way to obvious a hole to ignore. Another question would be, if someone was phising, why did they go after my Airbnb account, which is in of itself valueless, instead of my bank account and credit cards? Why not my ebay, etsy or any other account I have in the entire technology universe? Airbnb is the ONLY account I had any problems with in the last 5 years. Sorry, it's very clear to me where the security issues are, and it's not with the users.