Airbnb reports flaw that allowed hosts to see other users’ inboxes

Michael Cogley
·2-min read
The short-term lettings company has notified Ireland's data privacy chief - Toshifumi Kitamura/AFP
The short-term lettings company has notified Ireland's data privacy chief - Toshifumi Kitamura/AFP

Airbnb may be facing a "massive fine" after it notified Europe’s data protection tsar over a data breach that allowed hosts to see into other users’ inboxes.

Last week, a technical issue on the Airbnb website briefly allowed some users  to view previous messages sent and received from another account.

One user said they were granted access to another person’s inbox “every single time" they refreshed.

The incident has led to concerns that hosts will have to change passcodes associated with their properties as well as fears that large amounts of personal information may have been put at risk.

It is understood the problem was not a result of a malicious attack on Airbnb’s infrastructure.

“On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts,” the company said in a statement.

“We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.”

Airbnb has notified the Irish Data Protection Commission, which is responsible for enforcing GDPR legislation across Europe.

Users were unable to modify other users’ data, meaning they were unable to send messages, book or alter listings, or perform any actions impacting payments on a user’s account. The issue lasted for around three hours on Thursday.

Ray Walsh, digital privacy expert at ProPrivacy, said the incident could lead to “massive fines” under GDPR legislation.

“It will now be necessary to launch a full investigation into the leak to ascertain how and why it occurred, and to figure out what culpability Airbnb should face for having caused such and dangerous data leak,” he said.

Under GDPR legislation, companies can be fined up to 4pc of the annual global turnover for a significant breach of people’s personal data.

The tourism giant has been hammered by the pandemic with its valuation slipping to $26bn down from around $31bn in 2017 as lettings dried up.

In April, Airbnb raised $1bn through a debt and equity deal as it looked to offset mass cancellations from shackled tourists.

Last month, Airbnb filed confidential documents outlining its desire to go public by the end of this year. Pricing and the volume of shares to be listed have not yet been determined.

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories