Sikov - stock.adobe.com

Airbnb hosts’ account data exposed in internal leak

Data exposure within Airbnb’s system was the result of a technical issue but was swiftly fixed, says the firm

Airbnb has contained a data security incident that occurred within its service and resulted in the data of a limited number of Airbnb hosts being exposed to other hosts inside the service when using its desktop and mobile web platforms.

Reports began to emerge late on the evening of 24 September that some users were able to access the inbox messages of their peers, as well as other personally identifiable information (PII) including the addresses of hosts and details of Airbnb properties.

The initial report posted to the Airbnb sub-Reddit claimed that when the host logged in, they were presented with another name and a different inbox, while their co-host saw a second, unrelated inbox.

Other Airbnb users were quick to share their experiences, with reports of hosts intercepting messages to arriving guests containing access codes for combination locks or key-safes. The original poster said they had contacted Airbnb and been advised to clear cookies on their internet browser.

Mark Simpson, a hospitality business expert and founder of booking site Boostly, said: “It is shocking to see accommodation hosts’ data revealed. Not only that, but I could see other hosts’ sensitive information, including passwords, phone numbers and key access codes for their units. A global company should take better care of their paying hosts and guests.”

An Airbnb spokesperson said: “On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts.

“We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.”

It is understood that the unspecified issue was flagged and fixed within three hours and was the result of a technical malfunction, not a malicious cyber attack on the company’s infrastructure. Users who inadvertently gained access to the data of others were unable to modify it, send messages, or change bookings or listings.

Ray Walsh, data privacy expert at ProPrivacy, said that exposing the sensitive personal information of others, even within the confines of a platform like Airbnb with no apparent public exposure, still made this potentially a highly problematic incident.

Read more about data protection

“Having access to people’s sensitive personal information, including their names and addresses, as well as property security codes, is putting hosts and consumers at huge amounts of risk,” he said.

“It seems clear that the leak is going to cause a lot of upheaval for Airbnb hosts, who will need to update the codes to their homes in order to secure them and ensure they are not potentially at risk of burglary.”

Walsh pointed out that should reports that hosts were advised to clear their cookies be accurate, this was not an appropriate response by Airbnb’s support teams, as the onus should not be on the user to fix an internal issue.

He noted that Airbnb could find itself under investigation under the European Union’s General Data Protection Regulation (GDPR), as well as equivalent governance in the US and other jurisdictions. The GDPR sets a maximum fine for infringements of €20m or 4% of annual global turnover, whichever is greater.

Content Continues Below

Read more on Privacy and data protection

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Airbnb requires hosts to upload tax data (legal name & social security number) from hosts as well as a drivers license (photo, legal name, home address, & date of birth in the whole legal ID) to be uploaded.

This means every single thing you need to hack into someone's life is now on the black market.
Cancel
My host payout method & address was changed this morning, and at this point, Airbnb is denying that there was any unauthorized activity and they're simultaneously blaming me for "possibly allowing a friend, family member, or coworker" to access my account while using a shared device.

They made this up out of thin air, no one has access to my accounts.
Cancel

Mobile is kinda personal stuff so why not try to encrypt mobile traffic? A good way of doing that is to get yourself the best android VPN and keep all your traffic encrypted and secure. One of the most affordable mobile VPN is the FastestVPN that comes with a 15 day money back guarantee. 

Cancel
Cyber ​​security is one of the most important issues now. Therefore, you should choose professionals in their field - Utopia Ecosystem and sleep well)
Cancel

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close