Posts

Renting out your home might be the key to making big money, especially if you live in a sought-after location. While in the past you might have had to hire a property management company among other hurdles, technology has made it easier to take advantage of this opportunity. Companies, like Airbnb, let you post a listing for your home or property online, and people can rent the use of it at prices you determine and dates that fit your schedule. It might be your beautiful beach house in an exotic tropical location or just the spare bedroom in your house or apartment – some users have even posted their lawn space for camping.

While apps and technology make it easier to list and more affordable to rent properties, there is a downside. Criminals have flooded this innovative market place with scams. Scammers have used Airbnb to conduct rental scams, posting properties for rent they never managed. Now users are reporting fraudulent activity has taken place in the Airbnb platform. Account owners have noticed reservations being booked for non-refundable rentals that the users did not make themselves. Some have had their cards charged and money removed from PayPal accounts.

According to Airbnb, the platform has not been attacked or breached. In a statement from Airbnb they called these fraudulent charges “isolated incidents.” Airbnb’s investigation shows that these accounts were logged into with accurate login credentials and then the accounts were used to rent accommodations, charging the victims’ payment methods.

In short, that means someone got a hold of the victims’ login credentials. It’s quite likely that the information was gleaned from a previous data breach of a different company. This practice, known as credential stuffing, means if a users’ login information was breached in a previous attack their accounts using the same login are also in jeopardy. The Yahoo email breach, for example, would give criminals access to every single account you own if you are reusing that compromised username and password combination on other accounts.

While the damage appears to be rather limited, it is a good idea to change your Airbnb account password, even if you were not affected by these fraudulent charges. Monitoring your accounts regularly will also help you recognize suspicious activity as soon as it occurs.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

Microsoft announced a data breach that gave hackers limited access to some of its customers’ email accounts. The hackers were able to see email addresses, subject lines of emails, and folders, but not open any emails or their attachments. They also were not able to obtain the customers’ passwords. Essentially, the hackers were able to do the same exact thing as looking over your shoulder in a coffee shop while your email inbox screen was open.

So what’s the big deal?

First, any time an outside agent is able to access a company’s stored data—especially information on its customers—that’s a big deal. In this case, a hacker compromised the login credentials of a customer service agent. The history of data breaches is filled with examples of cybercriminals reaching their intended target by going through this kind of side door, so to speak.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

Also, compromising someone’s login credentials should be a difficult-to-impossible task if the right security measures are in place. Microsoft has not provided details on how the credentials were compromised, or even whether or not it was a Microsoft employee or a third-party customer service provider. If someone was able to “guess” the username and login using readily-available hacking software, then the password wasn’t strong enough. If the hackers obtained the credentials from a previous data breach, then those credentials are being reused and not being updated routinely. If they got the credentials through a phishing scam, then the employee may not have been adequately trained on security practices and protocols.

Finally, this event is a big deal because it serves as yet-another warning about password security, email strength, and data breach fatigue. If your first response to the announcement from Microsoft was, “Here were go again…yawn,” then you may be experiencing data breach fatigue. If you read the announcement and thought, “Well, thank goodness it was just the email addresses!” you may be feeling numb to certain kinds of cybercrimes.

It’s important that customers take all data breaches and hacking attempts seriously. Microsoft has locked down the credentials on accounts that it believes were affected—in order to block any potential access the hackers may gain—but urges all Microsoft account users to change their passwords. Password strength, including frequently changing your passwords, is one of the most important things consumers can do to protect themselves from cybercrimes.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Payment App Protection: Keep Scammers Out of Your Accounts