An Airbnb hacker spent a month in Malaysia using Laura Ward’s name, account and stored credit card. Now, after a failed chargeback, Laura wants to know how this happened and why she’s being held responsible.
Laura’s story is a complicated reminder about the ever-evolving dark web. Hackers appear to be invading every corner of the internet. And so it’s important for consumers to stay alert and proactive. Her case is also a lesson about persistence — one of the cornerstones of our advocacy practice.
An Airbnb hacker goes to Malaysia
Laura’s struggle with an Airbnb hacker began last October. After returning from a vacation, she reviewed her credit card bill. That’s when she discovered someone else had taken a journey of their own — using her funds.
“I found a charge on my credit card for $1,181 for a month in Malaysia through Airbnb,” Laura recalled. “I’ve never been to Malaysia or even considered it. And I haven’t used Airbnb since 2014. So I immediately called my credit card company and filed a dispute.”
Laura says that her credit card issuer, Barclay, reversed the charge and began an investigation. The bank also canceled her card and issued her a new one. Laura thought this bizarre situation was over.
Unfortunately, her 6-month battle against an Airbnb hacker was only beginning.
A failed credit card dispute
A month after Laura initiated the chargeback, she received a stunning response from Barclay. Airbnb had fought the credit card dispute — aggressively.
“Airbnb said they had proof it was me and not a hacker,” Laura lamented. “These thieves are good. Airbnb said that the IP address used to book the property matches mine. I definitely didn’t make this reservation.”
Airbnb provided Barclay with a detailed explanation of how it determined this was a valid booking. The report stated that the IP address and geolocation of the reservation matched Laura’s.
Based on the report from Airbnb, Barclay rejected the premise that someone hacked into Laura’s Airbnb account. The company rebilled the $1,181 and closed the credit card dispute in Airbnb’s favor.
Next move: Filing a police report over the hacked account
Laura found the credit card loss hard to believe. But it made her more determined to prove her case and get her money back from the faceless Airbnb hacker.
A police report can lend credence to a consumer’s case involving a hacker. And we know from past cases involving stolen frequent flier miles, many companies require a police report in these investigations.
And so, Laura was hopeful that a police report stating that a hacker had taken over her Airbnb account would lead to a positive resolution. She filed the police report and then sent it to Barclay.
Barclaycard won’t reopen this credit card dispute
Soon Laura hit another frustrating dead end. Citing the involvement of the fraud department, Barclay informed Laura that it could not reopen her credit card chargeback. Further, the bank recommended that she pursue other avenues to resolve her problem — “outside the credit card industry.”
Proving someone hacked into her Airbnb account
Laura still didn’t give up. She contacted an IT person, who determined that there seemed to be inaccuracies in the Airbnb report. This computer expert pointed out that the IP address placed its location in Chicago. Laura is in California.
But when Laura tried to provide this information to Airbnb, she found that now she was completely locked out of her Airbnb account. She had no way to reach the resolution team. Worse, right before she became locked out of her account, she had learned that someone had made a new reservation from her account — this time in Dubai.
Laura reached out to Airbnb on Facebook and Twitter and was instructed to change her password. She tried to do that, but then it seemed clear that someone had altered her Airbnb email address as well. Laura could do virtually nothing with her account. And she received no further instructions from Airbnb.
Now Laura wondered where else she could turn for help.
Asking our advocacy team for help
Desperate to find someone who would actually listen to her plea for help, she contacted our advocacy team.
However, when I read through Laura’s paper trail, I thought she likely would need an attorney to unravel this mess. Airbnb’s fraud department had provided a lengthy and thorough explanation to Barclay about the Malaysian rental. The documentation, Airbnb said, supported the charge since it had determined that someone using Laura’s IP address and geolocation had made the reservation.
The credit card company accepted Airbnb’s report as proof that there was no basis for Laura to charge back the Malaysian rental. It would seem that both Airbnb and Barclay were rejecting outright her contention that a hacker had taken over her Airbnb account.
Following the logical conclusion from there, Laura felt that she was being accused of fraud.
We know from experience that once a company escalates a case to its fraud or legal department, we typically can’t be successful with our mediation attempts. We don’t have a legal team. And so, for the most part, we are unable to mediate cases that involve accusations of fraud or crimes.
Still not giving in to an Airbnb hacker
But Laura had followed every reasonable step to combat this hacker and prove her case. Unfortunately, she wasn’t getting any closer to a victory line.
“I won’t be able to pay for an attorney as I could end up spending much more than I lost,” Laura told me. “What really troubles me is that Airbnb has not responded to my requests to discuss it.”
Laura could see that her Airbnb account was still active and she could see her family’s picture on the account. But she had no way to close the account and lock it. Someone was still using it. Now Laura was concerned that even without access to her credit card, the hacker was staying in Airbnb rentals around the world using her name and account.
Laura continued to send messages to Airbnb on social media. And team members continued to give her the standard response to change her email address and password. But whoever had access to her account already had changed both.
Contacting the Airbnb executive resolution team
I knew from the paper trail in the chargeback dispute that Laura’s case had been sent to the fraud department. And I knew that Airbnb had forcefully defended the Malaysian rental charge. The company appeared to be accusing her of fraud. Maybe there was something I didn’t know.
This case was a tricky one. However, I was hopeful that, at a minimum, we could get Laura’s Airbnb account taken down so that the hacker couldn’t continue his adventures in her name. At least a small victory would be better than none at all. Laura agreed.
Vindication and a refund!
And so, I sent Laura’s case over to the executive resolution team at Airbnb for review. I pointed out that the police were investigating the Malaysian rental and that Laura still hoped to get a positive resolution.
However, the pressing issue was Laura’s concern that this hacker was still using her account to make reservations in her name. She was worried about potential liabilities.
And to my surprise, within two days, Airbnb had completed its review and reversed its decision. Laura’s 6-month struggle was over.
Thanks so much for following up. Our team will be giving Laura a call today to ensure she is completely refunded and her account is restored.Airbnb executive team
Airbnb refunded the Malaysian rental and worked with her to secure her account.
When Laura was able to access her account, she was amazed to see a variety of conversations involving someone purporting to be her. This Airbnb hacker was actively planning additional vacations — and although Laura’s credit card wasn’t being used, her name was.
For now, Laura is just relieved that she has been vindicated and that her war against this Airbnb hacker is finally over.
Here’s how you can protect yourself against hackers
Unfortunately, we’ve recently been seeing a surge of requests for help from consumers who’ve been hit by scammers and hackers. These hackers aren’t limited to one company or even one industry. So it is critical that internet visitors maintain vigilance over their online accounts.
Here are a few things to keep in mind that can lessen your chance of becoming a victim of a hacker:
- Don’t store your credit cards inside your online accounts. Although it might be more convenient to do so, you might just be providing convenient access to a hacker too.
- Don’t ignore email alerts that announce a change has been made to your account. This is usually the first indicator that you’ve become a hacker’s target. Regular readers of my column will remember the case of Bonnie Orlin. She didn’t pay attention to those alerts and almost lost 120,000 American Airlines miles after a hacker got into her account and took several vacations before she noticed.
- Don’t click on any links inside an email that alerts you of an account change. This is also a tactic of hackers. If you receive an alert, go directly to the referenced account to check the validity of the alert.
- Don’t leave any type of online account dormant that contains your personal information. Inactive accounts are prime targets for hackers, as this Airbnb host found out recently. Regularly signing into your accounts will minimize the damage if a hacker is able to get in.
- Don’t use the same password and email combination across multiple platforms. Hackers know that consumers often have favorite password/email combinations. If a hacker gains access to one of your accounts, they will likely try the same combo across the internet. As a result, you might find your hacker troubles immediately multiplied if you aren’t using unique passwords on your accounts. (Michelle Couch-Friedman, Consumer Rescue)