Expert Reaction On CouchSurfing Investigates Data Breach

CouchSurfing is investigating a security breach affecting 17 million users. The CouchSurfing data is currently being sold for $700 on Telegram channels and hacking forums. As part of our expert comment series, the cybersecurity expert reacted below on this breach.

Experts Comments

July 24, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
While the CouchSurfing breach doesn't appear to have included password information (meaning hackers won't be able to use the information to attempt to access users' accounts on other sites and services), the breach does still present a threat to users' online privacy. Bad actors can use the email addresses to flood users' inboxes with spam emails, some of which will most surely include malicious links and attachments. Users should always be wary of clicking links or opening attachments in any.....Read More
While the CouchSurfing breach doesn't appear to have included password information (meaning hackers won't be able to use the information to attempt to access users' accounts on other sites and services), the breach does still present a threat to users' online privacy. Bad actors can use the email addresses to flood users' inboxes with spam emails, some of which will most surely include malicious links and attachments. Users should always be wary of clicking links or opening attachments in any emails, even those appearing to be from your personal contacts.  Read Less
July 24, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Organisations need to have layered controls - this means having security controls that make it difficult for attackers to gain access, as well as having detection and response controls that can help identify and respond to any attacks that are successful so that remedial actions can be taken in a quick manner. Along with technical controls, this means having good procedures in place, as well as providing security awareness and training to all employees so that they act as an extension to the.....Read More
Organisations need to have layered controls - this means having security controls that make it difficult for attackers to gain access, as well as having detection and response controls that can help identify and respond to any attacks that are successful so that remedial actions can be taken in a quick manner. Along with technical controls, this means having good procedures in place, as well as providing security awareness and training to all employees so that they act as an extension to the security team in helping defend and detect attacks.  Read Less
July 24, 2020
Jake Moore
Cybersecurity Specialist
ESET
This price tag seems a little high for data without password details, however, leaked information has a high value in its initial week, before it is mainstream. Once the affected users are made aware of the breach, and the heightened risk of phishing emails, the price will drop as the click-through rate decreases. Anyone with an account must be vigilant to current phishing emails purporting to be from CouchSurfing or their connected partners. It would also be a good idea to change the password .....Read More
This price tag seems a little high for data without password details, however, leaked information has a high value in its initial week, before it is mainstream. Once the affected users are made aware of the breach, and the heightened risk of phishing emails, the price will drop as the click-through rate decreases. Anyone with an account must be vigilant to current phishing emails purporting to be from CouchSurfing or their connected partners. It would also be a good idea to change the password – or, if the account is not used any more – it would be a good idea to close it completely. Far too many accounts become dormant online, and if these accounts are connected to reused passwords, users are at further risk of attacks elsewhere.  Read Less
July 24, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
The good news is that they are aware of the situation, were forthcoming, and got help – both from law enforcement and cyber experts. It’s interesting and more concerning that the passwords weren’t shared. In this year of social activism, resources like CouchSurfing can be invaluable. Might it be that the bad actors wanted to get lists of people couch surfing around specific events such as protests? Perhaps they’ll go back to CouchSurfing for payment to hold off on the release of.....Read More
The good news is that they are aware of the situation, were forthcoming, and got help – both from law enforcement and cyber experts. It’s interesting and more concerning that the passwords weren’t shared. In this year of social activism, resources like CouchSurfing can be invaluable. Might it be that the bad actors wanted to get lists of people couch surfing around specific events such as protests? Perhaps they’ll go back to CouchSurfing for payment to hold off on the release of passwords, but if not, there are potentially both privacy and personal liberty/freedom of expression issues at play here.  Read Less
July 24, 2020
Saryu Nayyar
CEO
Gurucul
The release of information from the popular CouchSurfing website is of some concern to their millions of users. While it's fortunate that user passwords weren't compromised, the millions of active email addresses are still useful for spam and scam lists. Information on how the attack happened hasn't been released, but it seems likely from the volume of data and what was in it that attackers gained access to an exposed database backup. If that's the case, they'll need to review their process.....Read More
The release of information from the popular CouchSurfing website is of some concern to their millions of users. While it's fortunate that user passwords weren't compromised, the millions of active email addresses are still useful for spam and scam lists. Information on how the attack happened hasn't been released, but it seems likely from the volume of data and what was in it that attackers gained access to an exposed database backup. If that's the case, they'll need to review their process for storing backups and make sure they have the tools in place to secure them.  Read Less
July 24, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Even though no passwords were reportedly leaked, I would still recommend CouchSurfing users change their account passwords, as well as any other accounts that share the same password. Users should also be on the lookout for targeted phishing emails from scammers posing as CouchSurfing or a related company. The information in the database can be used to make malicious emails more convincing and personalised. Never click on links in unsolicited emails and double-check senders' email domains.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.