CloudSEK has discovered a data leak that contains sensitive information of 16.99 million users of couchsurfing.com. CouchSurfing is a global homestay and social networking service through which members avail and provide lodging, organize events, and socialize.
Discovery of the leakCloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 16.99 million unique CouchSurfing users. The post was published on 19 July 2020. The seller has shared 22 samples as proof and claims that the data is from July 2020.
The contents of the leakThe sample records contain 22 users’:
- User ID
- Full name
- Last login
- Subscription status
- Campaign details
Data verification and validationBased on the fields in the database, it appears to be from a marketing campaign. Many of the emails were not publicly available previously and were not found to be part of other documented breaches.
General RecommendationsEven though passwords were not leaked, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams. So, as a rule of thumb:
- Use strong passwords.
- Enable multi-factor authentication for all your online accounts.
- Don’t open unsolicited email attachments and links, especially from senders you don’t recognize.
- Don’t share OTPs with third-parties.
- Review online accounts and financial statements periodically.
- Regularly update your apps and any other software you use.