17 million CouchSurfing users’ data for sale on data sharing forum

July 20, 2020
min read

CloudSEK has discovered a data leak that contains sensitive information of 16.99 million users of couchsurfing.com. CouchSurfing  is a global homestay and social networking service through which members avail and provide lodging, organize events, and socialize.  

Discovery of the leak

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 16.99 million unique CouchSurfing users. 

The post was published on 19 July 2020. The seller has shared 22 samples as proof and claims that the data is from July 2020.


The contents of the leak

The sample records contain 22 users’: 

  • User ID
  • Full name
  • Email
  • Location
  • Last login
  • Subscription status
  • Campaign details

Data verification and validation 

Based on the fields in the database, it appears to be from a marketing campaign. Many of the emails were not publicly available previously and were not found to be part of other documented breaches.

General Recommendations

Even though passwords were not leaked, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams. 

So, as a rule of thumb:

  • Use strong passwords.
  • Enable multi-factor authentication for all your online accounts.
  • Don’t open unsolicited email attachments and links, especially from senders you don’t recognize.
  • Don’t share OTPs with third-parties. 
  • Review online accounts and financial statements periodically. 
  • Regularly update your apps and any other software you use.
No items found.