Airbnb May Be Exposing Private Host Inbox Messages, Bookings And Earnings Data

Airbnb may be at the heart of a severe security incident as hosts report they are able to inadvertently access private inboxes that are unrelated to their accounts. 

On Thursday, Airbnb hosts flooded Reddit, querying the sudden appearance of inboxes that do not belong to them when they signed into the service. 

See also: CISA says a hacker breached a federal agency

In screenshots of an inbox shared on the platform, Reddit user "Autocasa" said that they had "no association with these people or their apartment names."

While no guest account, as of yet, has reported similar issues, hosts are saying they are able to see other people's addresses and other information -- such as codes required to access a property -- which means that the Airbnb inbox issues could be considered an extremely serious security incident that could compromise the security of people's homes. 

Several screenshots uploaded to Imgur also appear to reveal information including host names and profile pictures, booking earnings, the number of bookings over a 30-day period, and property views. 

CNET: Facebook says fake accounts tied to Russia posed as journalists and promoted other websites

It has also been suggested by more than one host that on refresh, new inboxes relating to other hosts appear and are accessible.

"I have been in support limbo all afternoon with no resolution in sight," user "Flashover212" said. "I can't access my own inbox to communicate with guests but I can access hundreds of other hosts."

"We've reloaded, logged out and back in, tried a different browser... still happening. But it changes each time. I've seen Jill, Kourtney, Brandeis, Jeff and Tammy, GoodNight, Alex, and more," another user added. 

TechRepublic: Synack: Federal agencies and banks have made the most cybersecurity improvements

One Reddit user claims that while on the phone to Airbnb, a representative simply recommended "clearing out their cookies" or trying a different browser. In some cases, logging out and logging in stopped the issue from occurring -- but not all in every case currently reported online. 

"It is vital for Airbnb to fix whatever is causing the problem right away. Early reports appear to indicate that Airbnb is telling hosts to clear their cookies in order to fix the problem," commented Ray Walsh, Digital Privacy Expert at ProPrivacy. "This is not a suitable response because the onus should not be on consumers to fix Airbnb's mistake. In fact, some hosts are reporting having access to a different inbox each time they log back in, meaning that Airbnb's customer support advice is actually compounding the issue."

Update 16.37 pm BST: Airbnb told ZDNet that a "technical issue" occurred at 9.30 am PST and was identified within an hour as impacting desktop and mobile web platforms, but not the Airbnb mobile app. The security issue was resolved by 12.30 pm PST. While inadvertent access was granted to some users, Airbnb says they were not able to modify any of the leaked data.

"On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users' accounts," Airbnb said. "We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don't believe any personal information was misused and at no point was payment information accessible."

Previous and related coverage

• Slammed by coronavirus outbreak, Airbnb axes a quarter of its staff
  
  
• Airbnb acquires Gaest.com for booking offsite meetings
  
  
• Shopify discloses security incident caused by two rogue employees
  
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0