Hi Clare,
You've provided some helpful tips, but they don't necessarily address my biggest concerns. I do have all notifications turned on - it's how I immediately discovered and responded to my account being taken over. But the notification are only as effective as the subsequent actions taken by Airbnb and host. Let me explain further:
After I notified Airbnb that I was not responsible for the change of email, I didn't receive a response. So I called Customer Experience an hour later. This action resulted in my issue getting "escalated." I asked several questions to gain better understanding of the issue including what I should/could do to help. I was advised to do nothing and wait, while given the option to decline requests if I felt like it. So at this point, all of the onus has been on me. Which is fine, but knowing that taking action is up to me is invaluable and timely information.
Three more calls to Customer Experience and nine hours later my issue was still waitlisted and a service rep informed that he could get me back into the account so I could reset my e-mail and password. This floored me. One, that it was still waitlisted seemed like a very lax stance on protecting personal information (whoever was in my account had access to my name, birthdate, address, phone number, email, pictures of me and my PayPal account all day!). Two, if I had the option to get back into my account and protect it myself it seems that would be the FIRST and foremost recommendation any service rep would make to me. Many companies feel a responsibility to take assertive action and contact their customers straight away, rather than waiting for customers to reach out, knowing that protections and swift action in identity vulnerability and fraud issues benefit everyone involved.
I still can't imagine why it took so long for me to find out more about the goings on. To the annoyance of everyone I spoke to, I asked numerous probing questions trying to seek guidance from the Airbnb support team, only to find out several hours later that you had sound advice in your back pocket all along. I still don't have clarity about what happened. I don't know what Airbnb knows about account takeovers that they didn't share with me; only that they did not seem to find it urgent (based on actions, not words). If Airbnb has good reason not to be alarmed, certainly concerned customers could benefit from learning why not.
It's clear that your Customer Experience staff are well trained. Not one of them strayed from the script they've been given and they all seemed aware of their limitations to escalate an urgent issue any further. In order to better protect your users and their identities, I strongly recommend training staff to be more forthcoming in matters like this about how much action Airbnb can and will take, in what kind of time frame they may do it, and what the user can do to help their situation. WHY wouldn't you?!