Airbnb host account hit by hackers. How did a hacker steal $34,250 from an Airbnb host ?
Home >> Travel Troubles >> Hackers stole $34,250 from this Airbnb host. How did this happen?

Hackers stole $34,250 from this Airbnb host. How did this happen?

Photo of author

Michelle Couch-Friedman

Consumer reporter and ombudsman

Airbnb host Nancy Isa recently got a terrible shock when she discovered hackers had broken into her payout account. Unfortunately, by the time she noticed something was wrong, Airbnb had been making regular payments to the scammers – for five months. 

In total, the hackers stole $34,250 from Nancy’s Airbnb host account. 

Then things went from bad to worse. With all that money on the line, Nancy contacted the listing giant in a panic. She was hoping for some calming reassurance that all was not lost. Instead, Airbnb immediately locked the host out of her own account and then went radio silent. 

That’s when Nancy reached out to the Consumer Rescue team. She’s hoping we can convince Airbnb to give back her access to her host account – and her $34,250.  

But after six months, is that possible?

Someone changed the payee in my Airbnb host account!

Late one Friday afternoon last month, Nancy sat down to tackle a task she had been putting off for a while – reconciling her Airbnb business account. 

As an Airbnb host, Nancy had dedicated much time and effort to make her property welcoming to her many satisfied guests. As a result of her hard work, the property was regularly generating nearly $6,000 per month. 

So when she looked closely at her bank account and could find no payments from Airbnb for many months, she was at first confused. But the situation became crystal clear when she signed into her Airbnb host account.  

In the primary payout field was the name of a total stranger and a bank account that wasn’t hers.

“Someone had been able to change the payee of my host account inside Airbnb. I couldn’t believe it! Airbnb didn’t call me or alert me of the change – even though this new account was in Germany.”

Nancy started scrolling through all the transactions going back into June. Suddenly she realized with dread just how long it had been since she had signed into her Airbnb account.

The hacker who had broken into Nancy’s Airbnb host account had been enjoying the fruits of her labor — stealing her cash — for half a year.

“When I totaled up all the transactions, it came to $34,250,” Nancy explains. “I was sick.”

Airbnb locks the host out of her own account.

Nancy’s next move was to call Airbnb host support. She needed to know how to immediately remove this intruder from her account.

“I also wanted to know if I was protected and how to get my money back,” Nancy recalled. “But I didn’t get any clarity. Instead, Airbnb locked me out of my account.”

That was a big problem because Nancy had guests at her Airbnb property at that moment. She also had new guests arriving in two days.

Now she had no way to communicate with her guests. Nor did she know if the hacker had been locked out, too, because Airbnb wasn’t communicating with her.

Not knowing where else to turn, Nancy started looking for answers on the internet. That’s where she found an article I had written about an Airbnb guest who found a mouse inside the property and wanted a refund. 

Nancy hoped I could reach out to Airbnb and help her too. So she submitted her request for help to Consumer Rescue.

Asking the Consumer Rescue team for help

Nancy’s plea for assistance landed in the Consumer Rescue inbox early one Saturday morning. Understandably, she was distraught and had many concerns.

Of course, the missing almost 35 grand was the most disturbing aspect of the situation. But with guests currently at her property and more scheduled to arrive soon, the immediate problem was her need for access to her account. 

[The hacker] was able to divert $34,250.21 into his bank account until I realized the theft!!!” I NEVER received an alert from AirBnB that this account was added.

A foreign phone number was also added to the account. +49 *********

Airbnb has locked my account since 8 pm last night. Today, I have called them every hour on the hour, and no one can tell me anything about my account. The fraudulent bank account STILL exists in my account b/c AirBnB wouldn’t let me know if I should delete it or keep it as evidence.  

In addition, I am currently hosting guests and have more arriving tomorrow. I have no way of contacting them & AirBnB doesn’t seem to care. In my last conversation, I asked them if they could let me communicate with my guests, but I received no response. ‘I do understand that’ was all the operator could say over & over…???

I’ve read about your wonderful work with similar cases & I am praying you can help me.

Nancy Isa

I hoped I could, too.

A big mistake: not checking an Airbnb host account regularly

Settling down in my office chair, still in my flannel PJs (remember it was an early Saturday morning 😛 — pajama day in my office.), I read through Nancy’s entire paper trail. It was clear that at some point in June, a guy named Jesus in Germany, who had no previous affiliation with Nancy, had taken over her account. 

As I exchanged emails with Nancy, I could feel her panic. 

I’m terribly embarrassed by this. But my business is not 100% reliant upon AirBnB. I have other sources of revenue, so it didn’t cause a red flag until the revenue discrepancy this month became extremely noticeable. Again, I never in 1,000,000 years thought I needed to check the security settings on [my Airbnb host account].

That was a monumental mistake, as Nancy now realized.

I had read and heard enough. It was time to ask our executive contacts at Airbnb to have a look at Nancy’s case. I hoped that the immediate problem of not being able to have a way to communicate with her guests could be easily fixed. 

The missing $34,250, I suspected, would take longer to resolve. 

Asking the Airbnb executive resolution team to help its host

I have always found the executive resolution team at Airbnb to be swift and helpful in responding to our advocacy team. I sent Nancy’s case over to our contacts and waited. 

Hi *** !

Hello there! I just received a distraught message from an Airbnb Host, Nancy Isa. 

Someone apparently hacked her account several months ago and changed the default bank account payee from her bank to the hacker’s bank account. Nancy hasn’t been checking her payouts, so she didn’t realize until yesterday that nearly $35,000 has been diverted to this hacker. She’s filed a police report and an FBI report since yesterday, but as part of the investigation, Airbnb has deactivated her account. She currently has guests in her Airbnb rental and has no way to contact them at this time. She’s spoken to Airbnb and explained that she needs to have access to her guest’s information (and also be available to them if needed), but no one at Airbnb has provided her with a way to make contact. She also needs to know what to do next regarding the missing funds. She had no idea someone could hack into her account and change the payee without any notification. 

Could your team have a look at this situation and see if there is a way to secure her account so that she can have access to her guest’s information during the investigation? Thank you!

Michelle to the Airbnb executive resolution team

A few hours later, I heard back from the Airbnb team. Nancy was granted access to her account so that she could communicate with her guests. 

Jesus was also deleted from her account. 

We were making progress. 

Airbnb to its host: We’ve closed your case

But the next day, a Sunday, Nancy received an alarming message Airbnb had closed her case. 

I’ve asked them to reopen my case. I know you are on my side and that it is unfortunate that it took me five months to uncover the fraud; believe me, I have been kicking myself every day since this happened!!! But had I received an alert from Airbnb, I wouldn’t be in this predicament & that never happened.  

Should hosts be expected to check their accounts monthly for fraud? Is this reasonable in the eyes of the law? Shouldn’t AirBnB be responsible as well?   

It’s the $220B corporation vs. the lowly female-run small-business owner who is trying to recoup lost revenue to pay her mortgage. AARGH! 

THANK YOU,

Nancy

Of course, the answer to Nancy’s question is, yes, a business owner should check their accounts monthly … but Airbnb also has a responsibility not to allow hackers to change the beneficiary of a payout account. So I didn’t think Nancy’s case was a lost cause yet. 

And the next day…

The good news: Here’s your $34,250 back – and a warning 

The following day, Nancy received a very welcome message from Airbnb.

The good news: Airbnb will return the money the hacker stole from the host.
An Airbnb representative casually lets Nancy know he reissued her $34,250 payout into her host account — all the money the hacker “Jesus” had stolen.

And I received a more detailed explanation from our executive contacts at Airbnb. 

Hi, Michelle, 

I hope you’re good! Following up to confirm this has been resolved for the host, we’ve reinstated her account and fully reimbursed [Nancy]. On communications, we’ve confirmed that Airbnb sent three separate notifications to the original email address on the host’s account about account activity.

Thanks a lot,

Airbnb spokesperson

As for Nancy, she maintains that she never received any alerts from Airbnb about the change to her account. And I can’t tell for sure, but I think she’s pleased with the help she received from Consumer Rescue.😜

Good morning Michelle!

WOW!

You are a miracle worker & my guardian Angel. 

Thank you! Thank you! Thank you! 

Best, Nancy Isa

And we’re happy to have been able to help!

How to protect your Airbnb account whether you’re a host or guest.

Unfortunately, criminals are always scheming up new ways to take advantage of their victims. But whether you are a host or a guest, you can do a few things to make your Airbnb account an unappealing target to hackers. 

  • Sign into your account regularly. Hackers know that, in most cases, they must conduct their schemes quickly before they’re detected. A hacker’s dream come true is an account that has little oversight. What was meant to be a one-hit, quick attack can now go on and on and provide a steady stream of revenue for the criminal. You can avoid being a long-term victim by regularly signing into your Airbnb account and ensuring everything looks as it should. 
  • Pay attention to messages from Airbnb. Don’t let the ads and newsletters you receive from Airbnb cause you to start ignoring messages from the company. If a hacker gets into your account and starts changing things, you’ll receive an email alerting you of the alteration. If you ignore that message, Airbnb will assume you made and approve of the updated information. If you’ve got payout information or a credit card stored in your account, never disregard any correspondence from Airbnb.
  • Turn on 2-step authentication. Turning on Airbnb’s 2-step authentication adds one more layer of protection between you and bad guys who want to steal your money and personal information. Sure, you’ll need to spend slightly more time accessing your account – but most hackers just move on to another target if they can’t easily get in. And think of all the time you’ll save trying to fight the aftermath of a hacker attack if you prevent it before it happens. 
  • Don’t reuse passwords across the internet. Reusing the same password on multiple sites is not a good practice. But criminals know that many people do. Often when hackers gain access to a person’s account on one site, they will try the same passwords across many other sites. Your problem will immediately be multiplied if you’re using that same password all over the internet. Best practice: Always use a unique password and login combination for every online account. This process can be easy if you use a password generator like Dashlane. (*One of my trusted editors recommends this particular generator, but there are many others).
  • Do not store debit or credit card information in your account. No one should store debit or credit card information in their Airbnb account (host or guest). There is no reason to allow this information to sit in your account like bait for a hacker. Each time you rent a property, manually enter your payment method. Otherwise, you could be in for an unpleasant surprise after a scammer treats themselves to an Airbnb vacation using your money. You can avoid that scenario by never leaving your payment source inside your Airbnb Account. 

The bottom line

As a business owner, an Airbnb host must keep a sharp eye on all transactions on a regular and consistent basis. Nancy knows she dodged a bullet here and has learned a precious lesson… luckily, it didn’t cost her $34,250 to learn it. 

If you have a problem you can’t solve on your own – or you just need an empathic ear – contact the Consumer Rescue team, and we’ll be happy to help you, too. 😊 (Michelle Couch-Friedman, Consumer Rescue)

Pin2LinkedIn
Photo of author

Michelle Couch-Friedman

Michelle Couch-Friedman is the founder and CEO of Consumer Rescue. She is a consumer advocate, ombudsman columnist, mediator, writer, and licensed psychotherapist. Michelle is a public speaker, and her expert guidance has been cited in MarketWatch, Consumer Reports, Travel & Leisure, The Wall Street Journal, Newsweek, Popular Science, CNN, CNBC, Boston Globe, CBS News, National Geographic, Travel Weekly, Reader's Digest and more. You might even catch Michelle on TV reporting on a situation. :) Michelle is also the travel ombudsman columnist for The Points Guy and is the former executive director of the nonprofit Elliott Advocacy. During her six years in that position, she resolved thousands of cases for troubled travelers and other consumers. You can read hundreds of 5-star reviews Michelle earned during her service to the nonprofit since 2016 here on Great Nonprofits. She is also a member of the Society of American Travel Writers. Today, she continues to spend as much time as possible fiercely defending consumers and traveling the world with her family. Contact her at Michelle Couch-Friedman or on Linkedin, Twitter or Facebook.