Forgot your password?
typodupeerror
Spam

Couchsurfing Hacked, Sends Airbnb Prank Spam 44

Posted by timothy
from the or-we'll-shoot-this-dog dept.
Slashdot regular (and Couchsurfing.org volunteer) Bennett Haselton writes with a report that an anonymous prankster hacked the Couchsurfing.org website and sent spam to about 1 million members, snarkily advertising their commercial arch-rival Airbnb as "the new Couchsurfing." (Read on below for more on the breach.) As of now, the spam's been caught, but not the spammer.

I've been a volunteer host on Couchsurfing.org for 16 months. Despite the ongoing controversies surrounding the site's changes in recent years, I've always found it to be a great way to meet travelers with fascinating stories and to make new friends, not to mention a way to force a deadline upon yourself to clean up your house before the next guest arrives.

On August 15, I received an email sent from "Couchsurfing <noreply@couchsurfing.org>" with the subject "Site Improvements", which read:

Hi!

We have some exciting news. Find out more about the new CouchSurfing here.

The CouchSurfing team

but the hyperlink on the word "here" did nothing when I clicked on it. So I looked at the HTML source code of the message and saw that the source code of the link was: We have some exciting news. Find out more about the new CouchSu= rfing <a href=3D=E2=80=9Chttps://www.airbnb.com/signup_login=E2=80=9D> her= e </a>.

So... the email from Couchsurfing was promoting a link to their commercial arch-rival, Airbnb.

At that point I assume the message was spam that had been sent from some third-party server and simply forged a return address from couchsurfing.org, but the message headers clearly showed that the message really had been sent from Couchsurfing: Received: from messaging3.couchsurfing.com (messaging3.couchsurfing.com. [54.236.187.135]) by mx.google.com with ESMTP id v7si15118226qay.99.2014.08.15.21.30.16 for <bennetthaselton@gmail.com>; The complete message headers and message source are here.

I sent a message to Couchsurfing tech support asking if they knew what had happened, and I started a thread on the Seattle Couchsurfing page, where several other users chimed in that they had received the same email. Couchsurfing support replied to me on August 18th:

Hello Bennett,

Thanks for your patience while we have been looking into this. As you saw yourself, some Couchsurfing members received an email in error on Friday night -- we apologize.

The part of Couchsurfing’s system that sends email to members was breached Friday night and an email was sent to approximately 1 million members. We take this very seriously, and we will continue to investigate and take all appropriate action until this situation is resolved.

There is no action you need to take to secure your account. Once we have further information, we will be sure to send out updates.

Warm Regards,

Then on August 19th, I received an email from Couchsurfing (presumably along with all or most other Couchsurfing users) with the subject "Incorrect email -- our apologies":

Dear Bennett Haselton:

We're writing because you may have received an odd email from Couchsurfing in the last few days titled "Site Improvements."

We apologize for any confusion this may have caused -- it should not have been sent.

-- The Couchsurfing Team

Want more details? Find them here

where the "here" link further explains: "The message was sent by an unauthorized user of our email system. No other systems were compromised, and we've addressed the circumstances that led to this unauthorized use."

So, kudos to Couchsurfing for at least alerting users that something had gone wrong. (Judging from the reactions in the thread that I started, most users who received the email simply deleted it without a second thought after seeing that the link didn't work, so Couchsurfing probably could have said nothing to their users at all, and gotten away with it. As of this writing, a Google News search for "couchsurfing hacked" turns up no other articles about the incident, so it's not as if there was a mob clamoring for answers that they had to respond to.)

On the other hand, I hope Couchsurfing is more forthcoming in the next few days about how much they know about what actually happened. When they say "We've addressed the circumstances that led to this unauthorized use," that probably means that they at least know whether the email was sent by (a) a disgruntled employee (or recently fired employee whose credentials still enabled them to access the server); or (b) someone who used an unpatched security hole to break in from the outside; or (c) something else. (I replied to the tech support ticket asking as much, but as of this writing I have not received a reply. I wasn't naive enough to think that they were probably going to tell me everything they knew, but it's one of those rituals that quasi-journalists engage in so that we can say "as of this writing I have not received a reply".)

Obviously I think it's unlikely that anyone at the real Airbnb would actually risk jail time by hacking Couchsurfing's servers to send out spam advertising the Airbnb website; it seems more like the actions of someone being snarky, possibly a former employee or an outsider with an axe to grind. Couchsurfing's apology email said "Once we have further information, we will be sure to send out updates." Hope so.

This discussion has been archived. No new comments can be posted.

Couchsurfing Hacked, Sends Airbnb Prank Spam

Comments Filter:
  • by baka_toroi (1194359) on Thursday August 21, 2014 @11:55AM (#47721145) Journal
    Is there another community similar in scope to Couchsurfing? What would you recommend?
  • Worse than it seemed (Score:3, Interesting)

    by Anonymous Coward on Thursday August 21, 2014 @12:13PM (#47721307)

    The images loading at the bottom of the email attempted to change profile data, join the CS queer group, and remove the profile.

  • When you've pretty much agreed that everything he said was true (though you attempt to handwave it away

    Fearmongering about risks that are statistically insignificant should be waved away. Otherwise one would hardly ever leave their own homes (or even move about in those homes).

    and blame the victim...

    Noting that the well-known cases of violence within Couchsurfing.com related to single females hosting single males is in no way blaming them. Rather, the point is that since the GP is presumably male and writing for a predominantly male audience (these being the sad demographics of Slashdot), his exortation to fear such violence is groundless.

    The "years of experience" you cite are for more-or-less closed communities of like minded people, very likely known to each other or having common friends or acquaintances. The modern hospitality exchanges are between random people, complete strangers.

    There has been no such transition overall in internet hospex from trustworthy closed communities to "random people, complete strangers" as you depict. Couchsurfing.com specifically has grown too large to have that feeling of being a closed community of like-minded people, though the result of this is vastly more likely to be simply meeting a person whose company one doesn't enjoy with than experiencing crime. However, internet hospex in general remains a series of overlapping circles of friends, which one can plainly see from Couchsurfing's two community-run alternatives.

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...