KOIN.com

Elaborate scheme snares Airbnb users, homeowners

PORTLAND, Ore. (KOIN) — Chris Hardcastle is a small business owner in Colorado who uses Airbnb for work and pleasure. She is connected to a KOIN 6 News investigation about a scam taking advantage of first-time homebuyers. But she’s a victim — not the scammer — in an elaborate scheme.

Recently, two Airbnb hosts in Northeast Portland had their homes fraudulently listed for sale. Home surveillance video captured the “Airbnb guest” pretending to be a real estate agent giving potential buyers a tour.

Hardcastle is the person tied to that Airbnb account. But her account was hacked.

She became alarmed when she began getting strange notifications on her phone from Airbnb.

“I received a text stating that my password and my email has been changed on my Airbnb account. So I immediately go and try to get into my Airbnb account and I am blocked. I cannot get in at all,” Hardcastle told KOIN 6 News. “I can’t get any information and that’s frustrating.”

She called Airbnb to try and fix the issue, but was unable to resolve the matter right away. Two weeks and multiple phone calls later, she eventually regained her account. That’s when she discovered Airbnb had contacted her within the app after her initial phone call saying she was locked out of her account, she took a screenshot of the conversation.

It showed an Airbnb official reaching out to Chris within the hacked account asking if there were any issues.

The company now acknowledges it was the hacker who replied, saying: “I just did a review and my husband was the one who added his number.. So everything is fine. thanks again!”

An Airbnb employee messaged back: “Ok Chris, I’m glad to hear that. Thanks for contacting Airbnb.”

Password security

Little did she or Airbnb know at that time the hacker had intentions far beyond just a trip to Portland on her dime.

In a statement to KOIN 6 News, Airbnb officials said:

“We have taken steps to assist the guest in recovering their account.”

The company added that they contact guests in a number of ways when they become aware of potentially unauthorized access on their account, “which is what our teams did in this case as well.”

When Chris finally recovered her account – she learned the disturbing details.

“One lady texted me [within the Airbnb app] and told me that I was at her house trying to sell her house. She saw me in the ring camera,” Hardcastle said. “So apparently someone, whoever hacked my account, is the one that’s going to these places or these homes trying to sell these houses.”

The scammer booked 4 different stays within a week on her Airbnb account across Portland.

Her credit card incurred thousands of dollars of charges — but she was able to get that back due to the fraud involved.

Though she has her money back, her sense of online security is shaken.

“I’m really concerned about this two-step verification because when you sign up for that, that is supposed to prove that everything is secure. But that didn’t happen,” she told KOIN 6 News. “I don’t know how someone can go in and change all of your information without getting that two-step verification.”

KOIN 6 contacted Airbnb about her concern. The company said hacks like this are rare, but that in this specific case, an unauthorized user would need one of the following: her account information, phone, or access to her email account.

Chris said the password she used for her Airbnb account was the same one used for other online accounts. From this point on, though, she said she will never use the same password across platforms and will change her passwords every 30 days.

Hardcastle said she also let the Airbnb site save her credit card information for faster checkout. But she will now reconsider that decision for safety reasons.

Airbnb said it’s imperative for people to use different and strong passwords for each account — and to safeguard those passwords.

Tips to help secure your Airbnb account

They also shared tips on how to keep your account safe and secure: Start with a solid password, review your account and flag anything suspicious. Find more by following the link above.