Airbnb hosts’ account data exposed in internal leak

Airbnb has contained a data security incident that occurred within its service and resulted in the data of a limited number of Airbnb hosts being exposed to other hosts inside the service when using its desktop and mobile web platforms.

Reports began to emerge late on the evening of 24 September that some users were able to access the inbox messages of their peers, as well as other personally identifiable information (PII) including the addresses of hosts and details of Airbnb properties.

The initial report posted to the Airbnb sub-Reddit claimed that when the host logged in, they were presented with another name and a different inbox, while their co-host saw a second, unrelated inbox.

Other Airbnb users were quick to share their experiences, with reports of hosts intercepting messages to arriving guests containing access codes for combination locks or key-safes. The original poster said they had contacted Airbnb and been advised to clear cookies on their internet browser.

Mark Simpson, a hospitality business expert and founder of booking site Boostly, said: “It is shocking to see accommodation hosts’ data revealed. Not only that, but I could see other hosts’ sensitive information, including passwords, phone numbers and key access codes for their units. A global company should take better care of their paying hosts and guests.”

An Airbnb spokesperson said: “On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts.

“We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.”

It is understood that the unspecified issue was flagged and fixed within three hours and was the result of a technical malfunction, not a malicious cyber attack on the company’s infrastructure. Users who inadvertently gained access to the data of others were unable to modify it, send messages, or change bookings or listings.

Ray Walsh, data privacy expert at ProPrivacy, said that exposing the sensitive personal information of others, even within the confines of a platform like Airbnb with no apparent public exposure, still made this potentially a highly problematic incident.

“Having access to people’s sensitive personal information, including their names and addresses, as well as property security codes, is putting hosts and consumers at huge amounts of risk,” he said.

“It seems clear that the leak is going to cause a lot of upheaval for Airbnb hosts, who will need to update the codes to their homes in order to secure them and ensure they are not potentially at risk of burglary.”

Walsh pointed out that should reports that hosts were advised to clear their cookies be accurate, this was not an appropriate response by Airbnb’s support teams, as the onus should not be on the user to fix an internal issue.

He noted that Airbnb could find itself under investigation under the European Union’s General Data Protection Regulation (GDPR), as well as equivalent governance in the US and other jurisdictions. The GDPR sets a maximum fine for infringements of €20m or 4% of annual global turnover, whichever is greater.