Rampant stealing of Airbnb accounts has become a serious security and privacy risk for hosts and travelers

screen capture of airbnb home page — Airbnb home page.

Cybersecurity consultancies are reporting of serious risks for all travelers and property owners who use Airbnb. Criminals have discovered that both host and guest accounts are relatively easy to take over or buy stolen accounts from hackers’ marketplaces. Criminals don’t necessarily have to hack and break into Airbnb computer systems because when they get access to the user’s account data, cybercriminals can login to Airbnb as a host or as a guest.

When you sign up to Airbnb as a host or guest you have to submit documents with photographs that identify you to the online service. Those documents may include your passport, driving license, recent selfie, and an identity card. Your credit card data, phone number, address and earlier bookings are saved in the account as well. Airbnb says it needs all these documents to conduct background checks and to prevent potential fraudulent behavior. If all these official documents about a person fall into wrong hands, it is likely to cause devastating harm to this person.

Now, stolen Airbnb accounts are traded on the internet on hacker forums. Even a criminal that doesn’t have the skills or time to snitch accounts can buy them for bargain prices on the internet. Prices vary from one dollar to 100 dollars for a verified account. Airbnb accounts can then be used, for instance, for booking accommodation with the original account owner’s id and credit card, or for other purposes.

a web page advertising stolen airbnb accounts — An advertisement on the internet for stolen Airbnb accounts.

How do cybercriminals take over Airbnb accounts?

Two techniques are favored by criminals who want to take over Airbnb accounts: stealer programs and cookie grabbing.

Stealer programs are malware software applications that sneak into a computer, and then sit and wait for user names and password to be typed. When this activity is detected, stealer programs grab the data and send it to the criminal. The thief can then login to Airbnb as an account owner – host or guest.

EU’s GDPR regulation that asks permission to save cookies, does it for privacy reasons, but cookies are a security risk as well. A cookie is a small file stored on a user’s device that typically includes data about connections to a specific online service. Snatching cookies requires cybercriminals to have physical access to the device or they can sneak a malware program into to the device that can send cookies to the criminal. If a criminal manages to get access to a cookie that has recently been used by an account owner, they may be able to access her Airbnb account without logging in.

What to do to prevent losing your Airbnb account to criminals?

If someone else can login to your account, it can be a sign that you have leaked your password, or there is a nasty security problem in your computers or mobile devices. The devices may be compromised, and should be examined.

For account protection, two factor authentication is a good start. When you activate two factor authentication for your account, criminals can’t login even if they have managed to snatch your user name and password.

Deleting (or deactivating) your Airbnb account will stop criminals (and you) from using your account, and that is exactly what some travelers have done because of successive serious problems with the service.