My Account is hacked

Sam736
Level 2
New Territories, Hong Kong

My Account is hacked

let me recap what i have encountered for this case. When i woke up this morning,  i saw there are 2 credit card transactions record shown in my mobile sms notification and its all from airbnb. so i login to my airbnb account with my mobile and saw there are two reservations which booked the room located in south africa. One is already cancelled while another one is confirmed.  Total transaction amount of these 2 bookings is around 9,000 HKD. Obviously, both booking were not made by myself, so the 1st thing I do was changing the password in airbnb app and then calling to the card center to cancel my credit card,  after that i called your airbnb hotline immediately and asked what happen to my airbnb account. Seems like my airbnb account is being hacked. And this is the background of this case.

For my background,  being as an IT porfessional with more than 10 years,  with CISSP, MCSE and CCNA IT certification.  I can sure that my password and all my devices are security safe. and my password complexity is strong enough.  

Airbnb claimed as the leader of worldwide accomodation apps, I doubt your banding and even your system security, and seriously i am thinking about your authentication system have vulnerability. What i am thinking is your system have been hacked before. So that my account,  my password and my information have been disclosed to those hackers.

Below are my queries of this case.

1st,  i have been enabled MFA in my airbnb account,  so the question is why the hacker still can login without my sms vertification code,  it is disaster login vulnerability,  i think your IT security team should find out the root cause of it.

2nd,  i should receive an email notification if my airbnb account is login by another device,  however,  i did not receive any email reagrading it.

3rd,  your authentication system do not have a AI verification technology about login from two different country with a short period.   e.g. for my case, I login from Hk and then the hacker login from US, if your system is clever enough,  it should already suspended my airbnb account,  however it didn't. Sadly,  it is totally different from what i read before about airbnb machine-learning model. 
https://medium.com/airbnb-engineering/fighting-financial-fraud-with-targeted-friction-82d950d8900e

4th,  i have checked the house that the hacker booked,  i checked the location  from the map and it is located on the meditrran sea, but the address show that it is from south africa,  omg,  why your team will still approve them to be a host in airbnb, (probably the host is the hacker of my case).

Summarize all of the above point,  i really think that your system about IT security is unacceptable weak and have vulnerability. even i think your system can let those hacker to earn money very easily,  They just need to register as a host with fake address and then they can get the money from the hacked account.
I am thinking whether i should still use your system to book my travel accommodation in the future. I would surely not recommend my friends , my family to use your system anymore.  Or i am thinking to take legal action or report it to some social media about your secutiry vulnerability.  I think it should be the time for your IT security team to face up to this issue.

I just used airbnb to book accomodations last week for my September honeymoon trip. I am worry that this will affect my trip as my credit card has been cancelled due to this unacceptable case. Also, the same card was used to book all the flight, hotels and travel agent of my trip, it is unpredictable how it will affect my honeymoon trip. I was really unset and disappointed of it. 

Moreover,  because of this case,  I have taken one whole day annual leave from my job to go to police station to open the case and go to the bank to process the credit card cancellation and getting the credit card transaction information for police. It was really troublesome. Please think about how your team will compensate for my lost. 

Please follow up the case asap, or else I would consider taking legal action or sharing about this disastrous experience on the social media.

Sam

4 Replies 4
Branka-and-Silvia0
Level 10
Zagreb, Croatia

@Sam736 

I am really sorry for your trouble, but unfortunatelly you are not alone, I've seen the same posts before.

This is just a forum for hosts and guests where we can share our experiences and ask for an advice from other hosts. You should contact Airbnb directly and here you will find how:

https://community.withairbnb.com/t5/Help/Contact-Airbnb-A-Community-Help-Guide-UPDATED/m-p/413245

Be persistent until your case is solved

Good luck

 

Ana1136
Level 10
Ohrid, Macedonia (FYROM)

@Sam736 you could consider entering your credit card info only when you need to pay something and not have it saved on multiple accounts whether it is Airbnb or some other platform. If won't take up much time but at least you could be sure that nothing like this could happen. 

Sam736
Level 2
New Territories, Hong Kong

yes, you are right.  i wont save any card info anymore on airbnb. but what we should concern is not whether i did save my credit card info. we should concern about why my airbnb account is so easily to hack by someone even i have enabled the multi-factor authentication. Also why airbnb allow a host which is use the fake address location.  This is what i am the most concerning. 

Ana1136
Level 10
Ohrid, Macedonia (FYROM)

@Sam736 everything that is on the internet can be hacked, we don't have a way to know if it was easy for them to do it or not. There are personal details stolen every day and systems hacked that are much more secured and with much more sensitive files that our credit cards, you know better since you are an IT professional. Every time we post something on the internet we are at risk, we can only do the small stuff to protect ourselves. The credit card I use for online payments is always empty for example no matter if i don't save it on anly platform. I only transfer money when I plan on paying something. I agree with you, we should be safer online but I don't see that happening any time soon because as the protection advances the hackers advance too.