An Airbnb hacker spent a month in Malaysia using Laura Ward’s name, account and stored credit card. Now, after a failed chargeback, Ward wants to know how this happened and why she’s being held responsible. (Reprint)
Ward’s story is a complicated reminder about the ever-evolving dark web. Hackers appear to be invading every corner of the internet. And so it’s important for consumers to stay alert and proactive. Her case is also a lesson about persistence — one of the cornerstones of our advocacy practice.
An Airbnb hacker goes on vacation
Ward’s struggle with an Airbnb hacker began soon after returning from a vacation. As she reviewed her credit card bill, she discovered someone else had taken a journey of their own — using her funds.
“I found a charge on my credit card for $1,181 for a month in Malaysia through Airbnb,” Ward recalled. “I’ve never been to Malaysia or even considered it. And I haven’t used Airbnb since 2014. So I immediately called my credit card company and filed a dispute.”
Ward says that her credit card issuer, Barclay, reversed the charge and began an investigation. The bank also canceled her card and issued her a new one. Ward thought this bizarre situation was over.
Unfortunately, her 6-month battle against an Airbnb hacker was only beginning.
Airbnb fought the credit card dispute
A month after Ward initiated the chargeback, she received a stunning response from Barclay. Airbnb had fought the credit card dispute — aggressively.
“Airbnb said they had proof it was me,” Ward lamented. “These hackers are good. Airbnb said that the IP address used to book the property matches mine. I definitely didn’t make this reservation.”
Airbnb provided Barclay with a detailed explanation of how it determined this was a valid booking. The report stated that the IP address and geolocation of the reservation matched Ward’s.
Based on the report from Airbnb, Barclay rejected the premise that someone hacked into Ward’s Airbnb account. The company rebilled the $1,181 and closed the credit card dispute in Airbnb’s favor.
Next move: Filing a police report over the hacked account
Ward found the credit card loss hard to believe. But it made her more determined to prove her case and get her money back from the faceless Airbnb hacker.
A police report can lend credence to a consumer’s case involving a hacker. And we know from past cases that some companies require a police report in these investigations.
And so, Ward was hopeful that a police report stating that a hacker had taken over her Airbnb account would lead to a positive resolution. She filed the police report and then sent it to Barclay.
Barclaycard won’t reopen this credit card dispute
Soon Ward hit another frustrating dead end. Citing the involvement of the fraud department, Barclay informed Ward that it could not reopen her credit card dispute. Further, the bank recommended that she pursue other avenues to resolve her problem — “outside the credit card industry.”
Proving someone hacked into this Airbnb account
Ward still didn’t give up. She contacted an IT person, who determined that there seemed to be inaccuracies in the Airbnb report. This computer expert pointed out that the IP address placed its location in Chicago. Ward is in California.
But when Ward tried to provide this information to Airbnb, she found that now she was completely locked out of her Airbnb account. She had no way to reach the resolution team. Worse, right before she became locked out of her account, she had learned that someone had made a new reservation from her account — this time in Dubai.
Ward reached out to Airbnb on Facebook and Twitter and was instructed to change her password. She tried to do that, but then it seemed clear that someone had altered her Airbnb email address as well. Ward could do virtually nothing with her account. And she received no further instructions from Airbnb.
Now Ward wondered where else she could turn for help.
Asking the Elliott Advocacy team for help
As a regular reader of Christopher’s nationally syndicated newspaper column, Ward was familiar with the Elliott Advocacy team. Desperate to find someone who would actually listen to her plea for help, she contacted us.
However, when I read through Ward’s paper trail, I thought she likely would need an attorney to unravel this mess. Airbnb’s fraud department had provided a lengthy and thorough explanation to Barclay about the Malaysian rental. The documentation, Airbnb said, did not indicate a hacker had taken over ward’s account since it had determined that someone using Ward’s IP address and geolocation had made the reservation.
The credit card company accepted Airbnb’s report as proof that there was no basis for Ward to charge back the Malaysian rental. It would seem that both Airbnb and Barclay were rejecting outright her contention that a hacker had taken over her account.
Following the logical conclusion from there, Ward felt that she was being accused of fraud.
We know from experience that once a company escalates a case to its fraud or legal department, we typically can’t be successful with our mediation attempts. Elliott Advocacy does not have a legal team. And so, for the most part, we are unable to mediate cases that involve accusations of fraud or crimes.
Still not giving in to an Airbnb hacker
But Ward had followed every reasonable step to combat this hacker and prove her case. Unfortunately, she wasn’t getting any closer to a victory line.
“I won’t be able to pay for an attorney as I could end up spending much more than I lost,” Ward told me. “What really troubles me is that Airbnb has not responded to my requests to discuss it.”
Ward could see that her Airbnb account was still active and she could see her family’s picture on the account. But she had no way to close the account and lock it. Someone was still using it. Now Ward was concerned that even without access to her credit card, the hacker was staying in Airbnb rentals around the world using her name and account.
Ward continued to send messages to Airbnb on social media. And team members continued to give her the standard response to change her email address and password. But whoever had access to her account already had changed both.
Contacting the Airbnb executive resolution team
Our team does not present every Airbnb case that we receive to its executive resolution team. We carefully consider the merits of each consumer’s complaint. When we do determine a case should go in front of Airbnb’s executive team, they are typically able to correct the problem quickly.
But this case was a little different. I knew from the paper trail in the chargeback dispute that Ward’s case had been sent to the fraud department. And I knew that Airbnb had forcefully defended the Malaysian rental charge. Maybe there was something I didn’t know.
This case was a tricky one. However, I was hopeful that, at a minimum, we could get Ward’s Airbnb account taken down. At least a small victory would be better than none at all. Ward agreed.
The good news: a full refund and vindication!
And so, I sent Ward’s case over to the executive resolution team at Airbnb for review. I pointed out that the police were investigating the Malaysian rental and that Ward still hoped to get a positive resolution.
However, the pressing issue was Ward’s concern that this hacker was still using her account to make reservations in her name. She was worried about potential liabilities.
And to my surprise, within two days, Airbnb had completed its review and reversed its decision. Ward’s 6-month struggle was over.
Hi Michelle!
Thanks so much for following up. Our team will be giving Laura a call today to ensure she is completely refunded and her account is restored.
Airbnb refunded the Malaysian rental and worked with her to secure her account.
When Ward was able to access her account, she was amazed to see a variety of conversations involving someone purporting to be her. This Airbnb hacker was actively planning additional vacations — and although Ward’s credit card wasn’t being used, her name was.
For now, Ward is just relieved that she has been vindicated and that her war against this Airbnb hacker is finally over.
Here’s how you can protect yourself against hackers
Unfortunately, we’ve recently been seeing a surge of requests for help from consumers who’ve been hit by hackers. These hackers aren’t limited to one company or even one industry. So it is critical that internet visitors maintain vigilance over their online accounts.
Here are a few things to keep in mind that can lessen your chance of becoming a victim of a hacker:
- Don’t store your credit cards inside your online accounts.
Although it might be more convenient to do so, you might just be providing convenient access to a hacker too. - Don’t ignore email alerts that announce a change has been made to your account.
This is usually the first indicator that you’ve become a hacker’s target. - Don’t click on any links inside an email that alerts you of an account change.
This is also a tactic of hackers. If you receive an alert, go directly to the referenced account to check the validity of the alert. - Don’t leave any type of online account dormant that contains your personal information.
Inactive accounts are prime targets for hackers. - Change your passwords.
Remember, hackers are crafty thieves and if one has been able to break into one of your accounts they will often use clues they find there to get into other parts of your personal data. If one of your accounts has been compromised, it’s a good idea to change the passwords on all of your accounts. - Don’t use the same password and email combination across multiple platforms.
Hackers know that consumers often have favorite password/email combinations. If a hacker gains access to one of your accounts, they will likely try the same combo across the internet. As a result, you might find your hacker troubles immediately multiplied if you aren’t using unique passwords on your accounts.