Airbnb security lapse leaves SIM customers vulnerable to data breaches

On Airbnb, a user who enters and verifies a phone number will be automatically redirected to an existing account if the phone number has been registered with it.

Airbnb apartment (Illustrative) (photo credit: PIXABAY)
Airbnb apartment (Illustrative)
(photo credit: PIXABAY)

When Sam Koffler arrived in Israel for the start of a nine-month gap year program, the first thing he did was buy a temporary SIM card. For the thousands of foreigners who come to Israel each year for extended periods of time, purchasing an Israeli phone number is common practice.

Koffler, a first year student at the University of Pennsylvania, was unaware, however, that months after returning the SIM card, his Israeli phone number was still linked to an Airbnb account he created, and that this left him exposed to a serious breach of personal data.

Compounding the breach is the policy among Israeli SIM card companies like  Cellcom, Pelephone, and Hot Mobile that every SIM card company will reuse the phone number that they issue to customers, usually after 30 days of its return. These companies don’t generally  inform their customers that the number they’re using will be reused.

As part of an unusually weak security process, Airbnb allows for users to log in to an account using just a phone number, meaning that any user who can enter and verify a phone number connected to an existing account will be able to access it.

“That’s crazy. The people that Hot Mobile give my phone number to can access my Airbnb account and all my credit card information,” Koffler said.

The US rental site Airbnb logo is displayed during the company's press conference in Tokyo on June 14, 2018 (credit: TOSHIFUMI KITAMURA / AFP)
The US rental site Airbnb logo is displayed during the company's press conference in Tokyo on June 14, 2018 (credit: TOSHIFUMI KITAMURA / AFP)

Airbnb security breach

Most online platforms have security systems that prevent users from signing up with phone numbers that are already connected to an account. They also require multiple forms of authentication to login, such as an email address or a password. But on Airbnb, a user who clicks on “Sign Up,” then enters and verifies a phone number, will be automatically redirected to an existing account if the phone number has been registered with it.

Anyone who tries to sign up for an Airbnb account with a reused phone number – such as the ones issued by SIM card companies like Hot Mobile – will get logged in to an existing account if the number is already in use. In addition to seeing all of the account holder’s past trip information, this gives users access to credit card information, a government ID, and past login locations.

In most cases, the person trying to sign up did not even intend to break into the account. “This is a problematic privacy issue that is unusual for a company of Airbnb’s size,” said Yossi Barishev, a senior security consultant at Sygnia, a cybersecurity consulting company. “A bad actor could use this information to steal, spy, blackmail from an account holder.”

In some cases, when a user who has previously verified an email address in addition to a phone number clicks on “log in”, Airbnb will ask the user to enter their phone number, as well as the email address. However, when the user enters their phone number and then puts in an email that is different from the one on file, the site still allows the user to log in.

Barishev confirmed that he was able to replicate this action on his personal account. “I used a phone number under a new email address that was never used with an Airbnb service, and yet I was granted access, as if I was the user belonging to that phone number. This is crazy. It looks like a validation error on their end.”

Barishev did point out that, despite the weak security system, users are still responsible for letting old phone numbers be used to access an existing account.

“While it does show a lack of diligence on Airbnb’s part, the only way you can be hit by this is if you act carelessly in one way or another with your phone number –  either by not switching any services relying on your old phone number to a new one, or by using a burner number as personal identification,” he said.

But for foreigners in Israel, many of them using a temporary phone number for the first time, Israeli SIM card company practices are a mystery.

Jade Radice, an American college student who is interning in Israel for the summer, bought a six week TalknSave SIM card contract at the recommendation of her Onward Israel program. “When I signed up, I had no idea I was getting a reused number,” Radice said. “It makes sense now that they do it, but I would’ve appreciated being told that, maybe on the website or when I first got the card.”

But TalknSave, along with other Israeli SIM card companies, don’t inform their customers that the number they’re using will be reused.

In the case that led to this article’s findings, a user attempted to sign up for Airbnb with an Israeli phone number issued by TalknSave. But after putting in the verification code, the site loaded into the account of a random user who had been active on the site from 2019 to 2022.

This user’s login history confirmed that they first created the account from an Israeli IP address in 2019. Also accessible to the person who accidentally logged in were four different credit cards, the user’s government ID, and messages with sellers containing details about keycodes to apartments or where to locate the key to their house (“inside a potted plant by the door”).

“I don’t think anyone’s thinking about their phone number getting reused when they get it,” said Charlotte Ballan, another TalknSave customer who is spending the summer in Israel. “And I definitely would never have thought about removing the number from online platforms due to privacy reasons.”

A TalknSave representative initially responded to questions regarding company policies, but the company owner later retracted the statement and would not comment on whether TalknSave would tell users about the SIM card reuse policy or inform them about the privacy issues that had been brought to light.

One user, who requested anonymity, said he did know that SIM card companies reuse phone numbers, but didn’t realize that the policy had any implication on data privacy. Five different apps on his phone, including Airbnb, had been downloaded over the course of his gap-year program and were still connected to the Israeli number.

In the US, mainstream cell providers have similar reuse policies, but make these policies known to their customers. For example, Verizon’s company policy is that all users who change their phone number must read a disclosure statement informing them of the policy. On their website, a notice reads: “We recommend you take this time to notify contacts that you are no longer using this number and that you unlink this number from any business or online accounts that use it as a way to authenticate you.”

Radice only realized that her Israeli phone number would be reused when she tried to sign up for Wolt, a food delivery service popular in Israel.

When she entered her phone number, the platform did not let her go through with creating the account, saying that an account with her phone number already existed.

Gal Ringel, a cybersecurity expert who founded the privacy software Mine, explained that while Airbnb’s security system poses a privacy issue, the company is not obligated to verify accounts with anything more than a phone number.

“Essentially, Airbnb is doing the bare minimum. At the end of the day, they can claim any user who gets their account broken into is at fault for not closing the account.”

Ringel’s Mine allows users to see every online platform that holds their personal data, and if they choose, reclaim the data from any site that holds it. He started the company after being the victim of online identity theft on two separate occasions.

“I had 823 different accounts holding my data,” Ringel explained. “The worldwide average is 350. People don’t realize how many different sites their information is scattered across.”

Last week, Airbnb’s spokesman informed The Jerusalem Post that “We take this issue very seriously and are investigating. Protecting our community’s personal information and data privacy is a priority, and we are constantly evaluating and improving our security protections. All users are encouraged to keep their profile and personal details up to date, including their telephone number, to help keep their account secure,” the statement read.

This is not the first time this issue has been presented to Airbnb. In 2020, SecurityWeek, an online news platform providing cybersecurity news, reported that “a cybersecurity enthusiast learned recently that Airbnb accounts can be easily hijacked by creating a new account on the home-rental service with a phone number that in the past belonged to another Airbnb customer.”

At the time, Airbnb claimed they had fixed the issue, but it remains on the site today. Now, Koffler says, he won’t make the same mistake again. But he wishes the path to realizing his mistake was made easier.

“I wouldn’t have thought big companies like Airbnb had such lousy security systems, but I also don’t see why Hot mobile couldn’t just have reminded me to close my account.”