Couchsurfing Data Breach

NOTICE: If you are or have been a Couchsurfing travel network member, contact the Arnold Law Firm at (916) 777-7777.

hacker-hands-typingIn July 2020, an anonymous data broker informed Couchsurfing that 17 million of their user records were advertised for sale on hacking forums. It is thought that the data includes personal information of both current and past members and was stolen from company servers or a misplaced backup file stored in a cloud hosting environment earlier in the month.

Reportedly, the stolen data for sale includes:

  • User IDs
  • Real names
  • Email addresses
  • Couchsurfing account settings

It is unclear whether hackers may have obtained additional data, such as passwords or payment information, but have chosen not to offer them for sale yet. It is thought that the database includes past users that were previously purged, in addition to the network’s current 12 million members.

In its current state, the known stolen data is desirable for spam lists and malware distribution operations. If password information was also breached, the leaked credentials could be used by credential stuffing botnets to break into other online accounts. The botnets use lists of usernames and passwords gathered from breaches to attempt to log into another site in order to assume an identity, gather information, or steal money and goods.

Couchsurfing has not officially confirmed the breach. However, on July 20, 2020 via Twitter, @Couchsurfing tweeted:

 "We are looking into this, have engaged with an independent security firm, FBI, Secret Service, and IC3. Trafficking stolen information is a crime and we're working closely with authorities"

Couchsurfing has reportedly hired an external cybersecurity firm to investigate the extent of the data breach, including what personal information was compromised. California law requires businesses to notify any California resident whose unencrypted personal information was acquired by an unauthorized person.

Founded in 2004, Couchsurfing is an online global social travel network with members in over 150,000 cities in every country in the world. Free until recently, the service links users to host one another in their homes, connect with locals on trips, or travel together.

Originally a grassroots effort, Couchsurfing became a for-profit corporation in 2011, going on to raise $23 million in venture capital to improve website features and functionality and in the hopes of keeping the service free to its users. Primary investors included Benchmark Capital, General Catalyst Partners, Menlo Ventures and Omidyar Network.

In response to the COVID-19 pandemic, Couchsurfing changed to a membership fee revenue model in May 2020, despite widespread criticism. Users in most developed countries must now pay a fee to use the platform. Members also have the option of paying a one-time charge to have their name and identification verified, adding a layer of security for travelers and hosts.

If you are or have been a Couchsurfing member, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation and possible legal options.