CouchSurfing is investigating a security breach affecting 17 million users. The CouchSurfing data is currently being sold for $700 on Telegram channels and hacking forums. As part of our expert comment series, the cybersecurity expert reacted below on this breach.
Even though no passwords were reportedly leaked, I would still recommend CouchSurfing users change their account passwords, as well as any other accounts that share the same password.
Users should also be on the lookout for targeted phishing emails from scammers posing as CouchSurfing or a related company. The information in the database can be used to make malicious emails more convincing and personalised. Never click on links in unsolicited emails and double-check senders\’ email domains.
The release of information from the popular CouchSurfing website is of some concern to their millions of users. While it\’s fortunate that user passwords weren\’t compromised, the millions of active email addresses are still useful for spam and scam lists. Information on how the attack happened hasn\’t been released, but it seems likely from the volume of data and what was in it that attackers gained access to an exposed database backup. If that\’s the case, they\’ll need to review their process for storing backups and make sure they have the tools in place to secure them.
The good news is that they are aware of the situation, were forthcoming, and got help – both from law enforcement and cyber experts. It’s interesting and more concerning that the passwords weren’t shared. In this year of social activism, resources like CouchSurfing can be invaluable. Might it be that the bad actors wanted to get lists of people couch surfing around specific events such as protests? Perhaps they’ll go back to CouchSurfing for payment to hold off on the release of passwords, but if not, there are potentially both privacy and personal liberty/freedom of expression issues at play here.
This price tag seems a little high for data without password details, however, leaked information has a high value in its initial week, before it is mainstream. Once the affected users are made aware of the breach, and the heightened risk of phishing emails, the price will drop as the click-through rate decreases.
Anyone with an account must be vigilant to current phishing emails purporting to be from CouchSurfing or their connected partners. It would also be a good idea to change the password – or, if the account is not used any more – it would be a good idea to close it completely. Far too many accounts become dormant online, and if these accounts are connected to reused passwords, users are at further risk of attacks elsewhere.
Organisations need to have layered controls – this means having security controls that make it difficult for attackers to gain access, as well as having detection and response controls that can help identify and respond to any attacks that are successful so that remedial actions can be taken in a quick manner. Along with technical controls, this means having good procedures in place, as well as providing security awareness and training to all employees so that they act as an extension to the security team in helping defend and detect attacks.
While the CouchSurfing breach doesn\’t appear to have included password information (meaning hackers won\’t be able to use the information to attempt to access users\’ accounts on other sites and services), the breach does still present a threat to users\’ online privacy. Bad actors can use the email addresses to flood users\’ inboxes with spam emails, some of which will most surely include malicious links and attachments. Users should always be wary of clicking links or opening attachments in any emails, even those appearing to be from your personal contacts.