Imagine entering your Airbnb platform one day, and you find out other hosts inbox messages replacing yours, due to a “technical issue.”
That’s exactly what happened in September of 2020
Hosts of the popular rental marketplace confronted this situation on Reddit, angrily asking for answers to their questions. “Why are all our data and rental codes being exposed?”
Let’s find out.
How Did Airbnb Hosts Get Their Data Exposed?
In the first place, most publications on Reddit by angry host users share a similar angle to the story: They found an inbox full of messages that didn’t belong to them.
Reddit User “callagem” told how weird it was to encounter a different name and a different inbox when logging in. He wrote: “I can see people’s addresses and the codes to get in their homes. This means someone else may be able to see mine.”
And he wasn’t wrong.
The user “flashover212” also stated that they could “access hundreds of other host’s messages.”
Another user added: “We’ve reloaded, logged out and back in, tried a different browser… But it keeps happening.”
Almost everyone seems to agree that the only response/recommendation from the company is to clear their internet browser cookies. Not much more than that.
And as we may confirm with the user’s responses, this doesn’t work.
Fortunately enough, this doesn’t seem to affect guest accounts (no similar issues for these accounts have been reported). On the other hand, it represents a big privacy issue for hosts, besides a probable security breakage for people’s homes.
This is because the leaked information can be used to access their properties.
But it doesn’t end here. I would like it to do… But it just doesn’t.
Screenshots as the one below show how the flaw also reveals the host’s profile picture, her booking earnings, and how many were booked.
What did the company’s spokespersons say about it?
They say this error is not related to a data breach or malicious attack on their infrastructure.
Instead, Airbnb only refers to the leakage as a technical issue that was fixed very quickly. Additional controls are being added to prevent happening again.
“The users with access couldn’t modify the other users’ data, send messages, or alter listings. And it only occurred to those on desktop and mobile web platforms, but not in-app.”
And it’s still not clear if they will face repercussions for the breach. They defend themselves by saying “no personal information was misused and payment information wasn’t accessible at any point.”
Some have speculated that the Irish Data Protection Commission has received a breach notification from the property rental company which is headquartered in there (Ireland).
So if either the Commission or the GDPR does something about it, there’s a high chance of them receiving a fine for infringements of €20 million (or 4% of annual global turnover).
The truth will be discovered soon. I truly hope you haven’t fallen victim to this flaw.
In such cases, you can’t do much to change the situation. But in the case of your own company (doesn’t matter its size), you can control almost every part of it.
So, what do you say… Let’s talk?
Differently from the Airbnb team, is that our team is fully transparent and communicative at all times. We won’t let you alone in the dark.