Hi guys my AirBnB and possibly PayPal (different password) just got hacked.
Got an email that someone in vancouver logged in my account. And soon after 2 accommodation in singapore got booked for $7000 total!
I notified Airbnb by call, submitted paypal dispute and changed my paypal password (they need to log in to my PayPal to pay right?).
Anything else i should do?
Thanks, Joe
I never gave my credentials out. Just wondering if someone who hacked in my airbnb also needed to hack my paypal password.
If yes then it could be a serious breach and someone stole all my passwords (eg through virus)
Oh I thought you meant does Airbnb need your login, not the hacker.
Well yes technically they will need both passwords 1 - Airbnb, 1 - paypal. You should start changing passwords and setting up 2 factor authentication if possible for logins.
2 factor authorisation?
2fa is 2 factor authentication.
It's an additional way to secure your logins to websites.
It means when you try to login to a website (where your have enabled 2fa)it will use a second method to authorise you before you can login, e.g the website will SMS a code to your mobile phone.
You need to setup 2fa in the website security settings. But I'm not sure AirBnB offer 2fa.
PayPal does though. And your bank should.
So do email providers like Gmail, Outlook.com, etc.
There are also 'authenticator' apps for your phone that generate secure codes for 2fa enabled sites. Quite often you can have multiple 2fa options enabled for a website, e.g if you don't have your phone for an SMS code, you could have the code sent to your email address.
I'm going to Europe soon so that's hard. Authentication app sounds good. Is it available for PayPal and commbank?
This appears to be the Commbank version of 2fa
https://www.commbank.com.au/security-privacy/netbank-securit…
So you'll need to use the Commbank app.
Here's the PayPal info:
https://www.paypal.com/us/webapps/mpp/security/security-prot…
I personally use Lastpass for all my passwords and the Lastpass Authenticator app. I login to it with my fingerprint sensor on my phone.
Other good authenticator apps - Authy, Google Authenticator.
Paypal use their own hardware or for software version, they use "Symantec VIP Access". I've had it setup for >1yr for Paypal.
Sounds like you are probably key logged or something if they got a hold of both your passwords…
What device did you log on with? Prolly need to format them all.
Mobile, PC, work PC. My home pc is also used by my gf (much less), she hasn't had issues yet. My bank account doesn't look to have been hacked directly.
Maybe get an antivirus to check?
Do you not have antivirus software?
Sophos, Eset, AVG, Panda and more all offer free AV.
I have microsoft essentials. Afaik it's good enough?
@joeno:
MS Essentials generally has one of the lowest rates of detection.
I think it unlikely you have a virus, but it is still worth checking none the less.
See my notes below re Malwarebytes etc.
Other methods of password compromise are far more likely.
um, never use sensitive passwords on a work pc, many of them have keyloggers.
I work at the government. They have keyloggers?
Without knowing the intricacies of your password management, this is GENERAL advice.
If you've reused the AirBnB password anywhere elsewhere (e.g on other websites) change it ASAP on those sites too.
Consider what other information about you has been compromised (phone numbers, Address, email etc).
Where possible secure this information.
Your password has most likely been compromised one of these ways:
1. You've used a simple password and is been cracked by brute force (e.g. Guessing)
2. You've used the same password on another site (that was compromised)
3. You've used an open public network (e.g a coffee shop wifi) to login
4. You've used a public computer (e.g an internet cafe) to login.
For 1, you need to use more complex passwords.
For 2, you need to use different password for every site.
For 3, you should use an encrypted VPN or your own secured hotspot.
For 4, you shouldn't use public computers with sites that require any kind of username and password that you care about.
It's possible you have a virus, but not likely. This can be easily checked, run a scan with Malwarebytes Antimalware, run a scan with Zemana Antimalware, run a scan with your antivirus software. You can also run an online scan with Eset online scanner or Sophos as a backup AV check.
Some general best practice principles for passwords:
- You should have a different password for every site.
- Use a password manager like lastpass or dashlane or roboform (there's many others too).
a) Use it's password generator function to create unique and complex passwords (min 14 characters) for every site.
b) Use it's change password function to change the password for your websites.
c) Have one really good password to secure your password manager, e.g QLD!4.Stateoforigin
What not to do:
- If you must make up your own passwords, don't reuse them.
- Don't use the same formula for creating password for different sites.
- Don't use simple passwords, e.g OzBargain1
- Don't use simple passwords, e.g OzBargain1
Ha, you'd have to be a real fool to use that. Luckily mine's OzBargain2.
Not OzBargain69?
… I need better security.
Also, go to https://haveibeenpwned.com and sign up your email addresses that you use for logins.
This will alert you if another website that you've signed up to has been compromised and your login details made public.
Consider setting up a Gmail account for website logins… e.g joenoweb @g mail
Gnail has the ability to use a + symbol after your email address and you still receive the email.
This means you can sign up to airbnb with the email address joenoweb+abnb @g mail
And you'll still receive email sent to that address. By having a unique email address for each login in the future, it can help you understand what has been the cause of the compromise and act accordingly.
Wow my main email address has been part of 10 breaches. Websites includes linkedin!?
Crazy. Most i believe use my short common password like airbnb which aren't monetary websites. Not sure / unlikely hackers would've e got my paypal this way.
Also my 2 supplementary gmails which i use for work etc are free from breaches.
I'm not sure how linking of your AirBnB account to your PayPal account works, but have you confirmed your PayPal account was actually breached?
Have PayPal been able to give you recent login details?
Consider if your PayPal password was
1. A reuse of your airbnb password (or other account password) with minor modification.
2. A relatively simple password, e.g not long, few numbers or symbols, common word or phrase, associated with you like a birthday.
Check out dos and don'ts above relating to your PayPal password too.
This is exactly why you don't use the same 'common' password for ANY site.
And why it's good practice to enable 2fa and use the + symbol trick on Gmail to have different email addresses for every website
Are you saying it's crazy that your account got compromised and you shared passwords with other sites and the password was short and that you made up a random password, something which people cannot do?
Wake up.
Now that we know about your poor security practices it's most likely that 1 website was compromised leading to your pass being discovered and then it's just a matter of adding it to bots which try logging in to popular websites where criminals can profit.
Download a password manager immediately, Lastpass is a good choice. Yes they store your encrypted info remotely, no this is in no way at all less secure than making pseudo random passwords and using the same password at different sites.
Everytime you login to a website for the first time after installing a password manager you must change the password to a long random password. After this the password manager will login to the website automatically (it's even easier than making up and sharing site passwords).
The short password is 6 digits and only for "regular websites".
The paypal password (different from my bank password) is 8 digits.
@joeno: Anything like paypal which has bank/credit card info i use at least 10-16 digit passwords.
Google password generator.
If the only unauthorised charges listed in your PayPal account are on Airbnb, I'd say it was only your Airbnb account was compromised. It is probably already linked to your PayPal and may not need further confirmation prior to purchase. This points to just the weaker of your passwords being compromised.
Regardless I would heed thedriver's instructions and work on improving your password security, password managers are the best option, but only if secured with a strong password and 2 factor authentication.
The problem is I'm going to moving about soon in the future so it's a little inconvenient. The security app option (rather than linking to phone number) sounds like the best option.
RE: yes airbnb is only one where I got unauthorised transaction. However I was told by the AirBnB staff that I'd need to log in to Paypal anyways even if it's linked.
I've removed the link through paypal.
Got to say all this security talk is overwhelming… complex passwords for every site (so dozens and dozens), all linked to different emails, using a password manager, and with 2 factor authentication. Think i'd somehow stuff it up so I would end up locking myself out.
A little of bit inconvenience to learn it or (potentially) lose $7k. I know what I'd pick!
Just ran AVG + malware bytes on my laptop and found 78 threats (most likely it was infected by a virus/malware). It's all been cleaned. I don't use my laptop much but will be using it more in the future.
Wondering with this many threats detected and cleaned, should I just reformat my laptop? Would cause a big hassle, and right now everything seems to be fine. No virus / malware detected.
So we're you definately hacked. Any update from Airbnb or PayPal?
We recently got an email which looked like PayPal as a receipt for toys, luckily I intercepted before missus clicked link in email and input her details.
Was a phishing scams to get her login, as onto PayPal showed no such transaction.
They've refuneded me half the bookings but the other half ($3500) "didn't go through" even though they did it at the same time…
Followed up but I have yet to receive that other half.
No. Never give credentials out. No one needs to login into your account
Check your account settings and security on Airbnb. You can see your login history and log out of any old devices.