Airbnb hosts today took to Reddit to complain that, upon opening their inbox, they were automatically and erroneously served the inbox for a different host. The massive data blunder, which was reported by a number of different Airbnb hosts, results in them being served messages and correspondence that included sensitive personal information about hosts and users, including addresses, names, and the codes to get into rental homes.
How Airbnb Exposed Hosts Data
The alarm was first raised by a user going by the handle "callagem", who stated that “I'm logging in as a host and it's welcoming me with a different name and inboxes", adding that, “I can see the messages including people's addresses and the codes to get in their homes. This means someone else may be able to see mine."
Following the revelation, fellow Airbnb hosts started to come forward also claiming that they were being served the wrong inbox. One user called norad73 made the claim that they had contacted a number of other hosts, who were also reportedly having the same problem:
I've talked to 5-6 hosts I know, they all have the same issue. Seeing inboxes of random hosts from all over the world!
Another user going by the handle flashover212 commented that they had "been in Support limbo all afternoon with no resolution in sight. I can't access my own inbox to communicate with guests but I can access hundreds of other hosts'."
According to an Airbnb host, the firm told them that they were not experiencing anything unusual on their side. An extremely concerning statement to make, considering the huge numbers of hosts that have taken to Reddit to complain.
The Impact on Hosts and Guests
This kind of accidental data leak is extremely concerning, and one can only hope that whatever caused it to happen has now been fixed by Airbnb. The original poster callagem has claimed that "It has been fixed now for me." This raises some hope that Airbnb was able to rectify whatever it is that caused the monumental privacy-invading glitch.
However, for those hosts who were served the wrong inbox, and those account holders whose data was leaked to other hosts, it is bound to have caused a lot of fall out.
For starters, anybody whose inbox was leaked, and for whom home entry codes were disseminated, it will now be necessary to update those codes to ensure that their property is not potentially vulnerable to burglary. For this to occur, it will be necessary for Airbnb to provide clarity over the data blunder by making direct contact with anybody whose inbox was accidentally served to another host. Only then will they understand that there is a potential risk to their personal data and home.
The data leaked by Airbnb is highly sensitive, and it could easily be leveraged with criminal intent for the purposes of engaging in phishing, for example. This makes the Airbnb data leak deeply concerning, and if verified it is sure to lead to an investigation by the FTC, the UK’s ICO, and the data protection authorities of any other countries whose citizens were affected by the breach.
Needless to say that if it is found that the data leak was caused due to negligence and improper data protections on Airbnb’s part, this consumer data leak could potentially lead to some rather hefty fines. After all, GDPR sets forth fines of up to 10 million euros (or 2% of the business’ entire global turnover in the preceding fiscal year – whichever is higher). Airbnb could also find itself facing some pretty serious lawsuits.
The onus is now on Airbnb to explain what happened and to ensure that everybody affected has been informed about their best next steps. Unfortunately, early indications appear to reveal that Airbnb is not being particularly forthcoming with help.
Airbnb allegedly informed Reddit user callagem that they should clear their cookies to solve the problem. This is all well and good, but it does nothing to resolve the other repercussions created by the leak, and it is not yet clear whether clearing browser cookies did resolve the issue. It is also an extremely lackluster response to such a severe issue; because it should not be on Airbnb hosts to solve this kind of data leak themselves.
What we can say with some certainty is that the number of hosts complaining on Reddit appears to reveal that this has been one of the most severe and invasive data leaks in recent memory.
We reached out to Airbnb for comment, who had this to say on the matter:
On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts. We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.
The technical issue occurred at 9:30 am US Pacific time on Thursday, was identified within an hour, an investigation was launched by our engineering and security teams, and the issue was fixed at 12:30 pm US Pacific time. This was not the result of a malicious attack on Airbnb infrastructure. It only existed on the desktop and the mobile web platforms - not on the mobile app. The users with inadvertent access could not modify the other users’ data (i.e. send messages, book/alter listings, or perform any actions impacting the payments of the actual user’s account).