CloudSEK has discovered a data leak that contains sensitive information of 16.99 million users of couchsurfing.com. CouchSurfing is a global homestay and social networking service through which members avail and provide lodging, organize events, and socialize.
Discovery of the leak
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the information of 16.99 million unique CouchSurfing users. The post was published on 19 July 2020. The seller has shared 22 samples as proof and claims that the data is from July 2020.
The contents of the leak
The sample records contain 22 users’:- User ID
- Full name
- Location
- Last login
- Subscription status
- Campaign details
Data verification and validation
Based on the fields in the database, it appears to be from a marketing campaign. Many of the emails were not publicly available previously and were not found to be part of other documented breaches.
General Recommendations
Even though passwords were not leaked, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams. So, as a rule of thumb:- Use strong passwords.
- Enable multi-factor authentication for all your online accounts.
- Don’t open unsolicited email attachments and links, especially from senders you don’t recognize.
- Don’t share OTPs with third-parties.
- Review online accounts and financial statements periodically.
- Regularly update your apps and any other software you use.
