My Airbnb account was hacked, here is what happened:

Thomas18
Level 6
Baltimore, MD

My Airbnb account was hacked, here is what happened:

My Airbnb account was hacked!

 

The summary:
- Someone figured out my password and let themselves into my account.
- Created a “Team”
- Added themselves as a “Team Member” and gave themselves all the permissions
- Created five new listings that directed potential guests to contact them off of Airbnb (on Whats App)

Check your accounts right now! Check your “Team” settings and check your log-in activity for computers you don’t recognize.

 

The whole story:

 

So, I was woken at 6:30 am by an Airbnb alert stating that "Your listing has been published. It's now live on Airbnb and can be found and booked by guests". I'm not a morning person, so while I'm staring at my phone in a fog of confusion, four more identical alerts popped up. Suddenly I'm hosting "Best location in Rayol, newly house & pool" and five other houses like it in France. I also see that there's a sixth listing in the process of being created. This one is offering my home in Baltimore, where I list individual rooms, as a whole house rental! The one that I opened up was fully formed listing that they clearly stole from someone in France, but it asked the potential guest to contact the "host" on their Whats App account in the description. So, instead of scamming host by booking outside of Airbnb, they are trying to do it to the guests now.


Now sufficiently alarmed, I roll out of bed and get on my iPad. While I'm trying to find some way to contact customer support, I realize I don't have time for that because I'm battling a hacker in real time. As I started to delete the new listings, I get an inquiry from "Anastasia" for one of them, which I ignored until after I finished deleting all the active listings (more on this later). I found that there's no way to delete the listing that's in the process of being created, so I then changed my password thinking this would lock out the hacker.


I admit that my password was weak. Seven letters and a number. It was one that I had for the past 10 years. I believe I turned on dual factor authentication in the process, or it was turned on for me. It was confusing so I'm not sure. In any case, it's on now.


I contacted customer support via online chat which I eventually got to after struggling with the Airbnb Bot and eventually typing "I need to speak to customer support". I got a real person soon afterward and once I explained the situation and she looked at my account, she said she'd "forward me to the correct department". Then nothing until I received an email three hours later:

 

 

"Hello Thomas,
I’m Jennet with Airbnb. Thank you for securing your account with a new password.
We’ve reviewed your account and confirmed that the actions that you took have successfully prevented further unauthorized activity.
Thanks,
Jennet"

 

 

Yeah cheers thanks a lot... While I was waiting I noticed I was locked out of my account for a short period. After that I saw that they had deleted the one listing-in-progress that I couldn't. However, she was wrong. My account was still not secure.


Later that afternoon nine more new listings popped up. These were all just started when I found them. This time I was on my desktop, where there are a lot more menus available to us. As I was poking around to see how this could have happened after I changed my password (I changed it yet again), I found "Activity "NEW"" in the menu that popped down when I clicked on my profile pic. This is an activity log for all changes made to the account that also lists who made them. The new listings were created by someone named "Letty". There's someone else in my account! I remembered that we could add a co-host to our accounts but I never looked into it. I clicked around some more and found "Teams", and there it was. I was now part of a team called "Franc" and the other team member's name was "Letty Heb" Letty had a profile pic, an email address, her very own password to access the account (this is how she continued to have access even after I changed the password), and all the permissions checked off, including creating listings.
I deleted her and the team. So I think I got it under control. Interesting that it escaped the notice of customer support. After all, it was Letty that created the listings I was complaining about?

 

And... it turns out that I unwittingly communicated with Letty. Remember Anastasia that inquired about one of the fake listings in France? While I was waiting to hear from customer support I answered her to let her know that the listing was a scam and to not contact the "host" on Whats App. At some point I was able to see the last name on the account (I don't know why, maybe she actually booked it at some point?)... I was talking to Anastasia Letty. I guess she saw that I was taking action and she sent me an inquiry to feel me out? Creepy.

 

I’m still trying to get through to Airbnb Customer Support to report the second hack and alert them to the vulnerability that “Teams” created. 

17 Replies 17
Mary996
Level 10
Swansea, United Kingdom

OMG. @Thomas18 You are a hero for having sorted this one out. Its an incredible story and a real page turner. I don't know what to say except WOW!!

Are you ok might help? You might be feeling exhausted after all that adrenaline. Here for you xx

Cathie19
Level 10
Darwin, Australia

Three cheers to you @Thomas18
My mind boggles that this happened, but more importantly, that Airbnb took three hours to get back to you...... Then didn’t keep it flagged, to monitor the ongoing creation of extra listings......

OMG!

 

Thank you for sharing, I am now checking my site. 

Branka-and-Silvia0
Level 10
Zagreb, Croatia

@Thomas18 

and all this before your morning coffee? 😄 Bravo!

@Branka-and-Silvia0

I know he's like a crack shot whizzo... straight into action! Good to have such a hero on board xx

Colleen253
Level 10
Alberta, Canada

@Thomas18 Did you check your payout and banking info to make sure hackers didn’t mess with that while they were in there?  Change your password every three months, at least. Make it random every time. Also check your listing and account settings and activity log regularly for suspicious activity. Airbnb is not secure at all, and Customer Circus is useless, as you’ve learned.

I did, thank you. Thankfully, their primary goal was to have guests book through them, off of Airbnb, and then disappear with the money. They could have really screwed up my account if they wanted to. 

Mary996
Level 10
Swansea, United Kingdom

@Thomas18 Phew thank goodness you swung into action. Might you be available to assist others or even to be de-briefed inorder to assist Airbnb? You are a star xx

Thanks Thomas, glad you got it sorted in the end, what a nightmare....  the issue with my account was I never received any warning from airbnb at all.... I just stumbled across the chinese accounts logged into my airbnb , I logged them out , now I cant receive any booking requests at all through email, I have to log into airbnb account every few hours to see if there are requests which is time consuming.... and still nothing from airbnb support as to how I can get requests through my email.

@Rosie-and-Peter0 

Would it be worthwhile changing your email and using an entirely new laptop or accessing via a VPN screening device???

Inna22
Level 10
Chicago, IL

Thank you so much for taking the time to post! 

This is exactly what I have been talking about - CS  and we have no idea about any known issues. First off, there should be a daily digest to hosts that should have included this possibility of this happening through teams feature the moment Airbnb discovered it the first time and second of all, CS staff should have known to check Teams, not to pat @Thomas18  on the shoulder for the job well done and move on.

 

@Catherine-Powell @Bez8 

Mary996
Level 10
Swansea, United Kingdom

Exactly @Inna22 .   So well expressed. Thank you. This was a real emergency and protocols for dealing need to be in place!! Its an outrage that @Thomas18  had to handle this himself. He was so competant. The next step must be for Senior Management to debrief him and to set up an 'instant response' unit. Here is a potential priority for HAB @Bez @Till-and-Jutta0 to take up to the Exec.

Bez8
Host Advisory Board Member
Vancouver, Canada

@Thomas18  @Inna22  @Mary996 

 

Thomas just wow. I'm sorry you had to go through that. 

 

I agree that the CS reps need to be better trained. Especially for urgent matters 

Elaine701
Level 10
Balearic Islands, Spain

OMG. Really. I'm rather speechless. What a fiasco.

 

Airbnb isn't likely to be much help. You got it under control though. Good on you! 

Susan990
Level 10
Redmond, OR

About your hacking...did this happen because Airbnb has a weak low grade security system for its site?

I  recall poking around the site and discovering a part where it said " security rating C" but since cannot find it.  Is there any way of discovering what the status or ranking of Airbnb platform is  as compared to other similar on-line companies?

Susan