[BreachExchange] CouchSurfing investigates data breach after 17m user records appear on hacking forum

[Destry Winant]

https://www.zdnet.com/article/couchsurfing-investigates-data-breach-after-17m-user-records-appear-on-hacking-forum/

CouchSurfing, an online service that lets users find free lodgings, is
investigating a security breach after hackers began selling the
details of 17 million users on Telegram channels and hacking forums.

The CouchSurfing data is currently being sold for $700, ZDNet has
learned from a data broker, a person who buys and sells hacked data
for profit on the hacking underground.

The data broker, who requested anonymity for this article, was not
able to identify the hacker but said the CouchSurfing data, which
first appeared in private Telegram channels last week, has been
advertised as being taken from CouchSurfing's servers earlier this
month, in July 2020.

NO PASSWORDS LEAKED

ZDNet received a small sample of the data. The sample included user
details such as user IDs, real names, email addresses, and
CouchSurfing account settings.

User passwords were not included, although it is unclear if hackers
got their hands on passwords and simply chose not to share them.

Reached out for comment last night, a CouchSurfing IT staffer did not
immediately provide an on-the-record statement but said that the
company has already engaged with a cyber-security firm to investigate
the breach, along with law enforcement agencies.

While the CouchSurfing data was initially shared in private Telegram
channels, this week, the company's data has slowly made its way onto
more public hacker forums, including the infamous RAID Forum, the
go-to place for buying and selling stolen databases on the public
internet.

CouchSurfing is currently ranked as one of the top 11,000 most popular
websites on the internet, according to Amazon's Alexa traffic ranking.
The service, founded in 2004, lists 12 million registered users on its
site, but the company has purged inactive users a few years back when
it listed a total of 15 million registered users, which would explain
why hackers are currently selling 17 million user records.

The impact of the CouchSurfing breach is lower than other security
incidents at other companies, as password information was not
included. This means that the CouchSurfing data can't be used to as
part of credential stuffing botnets that take leaked credentials and
attempt to break into a user's accounts at other online services.

Instead, the CouchSurfing user emails can be used for spam lists by
spam and malware distribution operations.

A theory shared by the data broker with ZDNet is that the CouchSurfing
data could have originated from a misplaced backup file, as most
companies regularly back up their user databases and don't usually
include password strings in their backups. Furthermore, most backup
files are also stored in cloud hosting environment that sometimes gets
exposed online by accident, in misconfigured storage mediums, or after
firewalls or VPNs go down, exposing a company's internal
infrastructure on the public internet.