Colorado Airbnb hosts hacked: Boulder home rented out without owner's consent, Buena Vista host loses thousands in rental revenue

Some Airbnb hosts have been getting hacked -- some losing thousands of dollars in rental revenue, others seeing strangers show up at their doors ready to rent out listings that haven't been active for years. Online forums and blogs show it's been happening to people across the country, but CBS Colorado has learned it's also happening to hosts in the Centennial State. 

Pat Noyes, of Boulder, hasn't had her Airbnb listing publicly viewable for almost four years, yet two weeks ago, a couple showed up at her door in the middle of the night with a booked reservation to stay at her place. It turns out, hackers rented out her listing without her knowledge. 

Noyes used to rent out a suite in her home using Airbnb, but stopped a few years ago, making sure her listing was no longer public, but keeping her account in case she decided to open the listing again in the future. But two weeks ago, renters came knocking on her door. 

"Rude awakening," Noyes said. "My husband went to see what was going on, and came back to put pants on, and said there are people on the front deck... he said, 'Well they had your first name and they had our address and they had an Airbnb reservation.'"

She said she was sound asleep when the couple arrived, so she didn't get much more information from them. 

"Thankfully the young couple, they were very nice. My husband explained it. No, they didn't have a reservation and they just politely went away but I don't think everybody would necessarily do that if they spent a lot of money," Noyes said. 

Noyes says she got on the phone with Airbnb first thing the next morning, but says the company only gave generic responses that didn't lead to solid solutions. What's more, just a few days later, even after reporting the incident to Airbnb, another potential renter contacted her about booking her inactive listing. 

CBS

"Somebody had changed, back in May, had changed my login and stolen all my information, so they have access to own my account, and they're selling my house online," Noyes said. "Whoever stole it left my actual contact information on there. Not my email, but my phone number, and so I had a voicemail saying, 'I'd like to change my reservation.' I went, 'Oh, my God, this was not a one-time fluke.' And she had over $1,000 reservation for my place. And thankfully, I was able to talk to her and she shared information."

Noyes is not alone. 

Glen Merrifield, of Buena Vista, rents out luxury cabins with hot springs. The property has been in his family for over 100 years. 

When he started noticing his rental payments from Airbnb weren't coming in this spring, he called the company. 

"They told us that somebody had gotten into our account and changed bank account numbers, and they were going to fix that, and they would get the money back, get the funds back in our account and everything would be taken care of," Merrifield recalled. "So we let it slide another month till the next bank statement came out, and by that time 10 weeks have gone by, and yeah, we literally, then were told by Airbnb, what we could do to fix it on our end, which is to delete the payout methods that somebody else had come in and changed."

Cybercriminals had diverted his rental payments to a different bank account without his knowledge. Merrifield lost over $58,000 in rental revenue as a result. 

"I really feel like they misled us. I mean, I know that it's our account. We should be responsible for it. But at the same time, they told us they had everything handled, and we put our trust in them," Merrifield said. "It was a real gut-wrenching experience. I mean, that kind of money to our small business is just devastating. You just never expect that kind of thing to happen to you and you kind of think that you're being taken care of by Airbnb. They're such a large corporation, you would have thought that they would have had more protocols in place."

Both Merrifield and Noyes have reported their cases to several law enforcement agencies. 

The Colorado Bureau of Investigation is investigating Noyes' case. CBI's Agent in Charge Ralph Gagliardi says his office gets calls about these types of scams every day. 

"Your information is already out there, it's been compromised before, for the most part, so for instance, if they've already taken your name, your password, or your email, or all three, and they have that saved, bad guys will eventually use that against you in some other fraud," Gagliardi said. 

His office has tools to track down hackers in these types of situations, but Gagliardi says there are significant challenges. 

"An example of somebody without authorization logged in to your account, that host may contain data that can help law enforcement, such as an IP - internet protocol address - that was used to make that particular change, or other information they left behind or changed it to... so all those things you could go down the path and look for nuggets of information that can help trace to or track down the fraudster," Gagliardi explained. "Anytime that passwords or credentials are compromised, there's always a chance that you might catch somebody who's local, meaning in the U.S. However, the frequency of that is rare. So we have had some success with those that are local, to tracking them down, they brag about it on twitter, they use their basement IP, we catch them, but for the most part of it, these types of scams are foreign born and done outside of the United States, making it very difficult for law enforcement to track them down."

He says it's critical you change your password often, keep an eye on your online accounts regularly, and act quickly if you see any changes. 

"We recommend you use a different password for each site," Gagliardi said. "Your bank should have its own password, your Airbnb or rental account needs to have its own password. Don't have it a 1 instead of a 2, don't do that, (make it) completely different."

Noyes tells me she's going to be more vigilant moving forward. 

"I hate to just say, 'Oh, my God, get off that platform,' but that's where I am, and it could happen to anybody," Noyes said. 

After CBS Colorado pressed Airbnb about these two Colorado cases, Airbnb helped Noyes log back into her account so she could wipe it clean, and Merrifield says he received over $20,000 in reimbursements from Airbnb, but he's still waiting and hoping for the rest. 

Airbnb declined an interview, but sent the following written statement: "We take reports of fraudulent activity very seriously and we consistently work to educate our users with best practices on how to keep their accounts secure. In the rare instances where this occurs, our specialized team is available to help Airbnb users safeguard their accounts, and our Trust team is in touch with both users to support them along those lines." 

Airbnb also provided the following information links:

Read more
f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.