Data Breach: Around 9,500 Apartment-Sharing Site Users Affected

  • Written by Cyber Research Team WizCase

What’s Happening?

The breach exposed personal data of users and property owners registered on Niido , including:

  • Full names
  • Email addresses
  • Phone numbers
  • Airbnb internal guest email
  • Internal booking information
  • Data about the property owner and area
  • Booking confirmation codes
  • User reviews data
  • Direct comments from house owners to cleaners
Screenshoot of exposed personal data Niido - 1

The open bucket also revealed around 300 PDF files with invoices for orders made by the company.

Screenshot of open bucket Niido PDF files - 2

Whose Data Is Affected and What Are the Consequences?

Our team discovered that the misconfigured bucket had 2 CSV files with between 20-30MB of data with around 9,500 Personal Identifiable Information (PII) and a few hundred confidential files. The data included some duplicate information and empty values. According to the names of the files, all exposed data belongs to registered AirBnB users — both guests and hosts.

Screenshot of Niido data breach CSV file - 3

An additional CSV file with 2,000 entries showing full names, confirmation codes, and user reviews score was also found within the bucket.

  • Identity theft and fraud: The breach exposed data that could be easily used by cybercriminals to perform identity theft. Possible fraudulent activity would be for attackers to create new host accounts with fake images and property details. Doing so would allow them to collect payment details, money, and personal details of their unsuspecting victims.
  • Phishing scams and malicious emails: Scammers are always on the lookout for data breaches to collect various parts of private information. Knowing a person’s full name, phone number, and their recent Airbnb transactions could aid in creating believable phishing emails. These are sent out to collect additional data from the victim by attaching suspicious links in emails. Additionally, attackers could use leaked email addresses to spread malicious files that, when downloaded, infect the person’s device.
  • Business espionage: Various Airbnb and Niido competitors could use revealed information to convert users to switch to their platforms. This could be done by ad targeting and sending them new offers through emails and text messages. As these could be highly personalized, many espionage attempts are likely to be successful.

How Did It Happen and What Shall I Do Now?

Unless intended to be accessed by the public, any server and bucket used to hold user personal data should be set to private . This would significantly lower the chances of a data breach happening.

If you regularly use your Airbnb or Niido account, delete unnecessary information on your profile and limit the data you share in the future. You should also be aware of any phishing emails or phone calls that ask you to share more personal information .

Should you notice any suspicious activity or unknown changes on your accounts, report it as soon as possible .

As a general rule, it’s a good idea to protect your online traffic by connecting to a VPN. This adds an additional layer of protection to your data through masking your IP address as well as preventing any malware from attacking your devices. VPNs are very easy to navigate through, even for those who never heard of them before — for an easy tutorial check out our beginner’s guide to VPNs .

Who Is WizCase?

Available in over 30 languages, WizCase is an online security website that reaches millions of readers worldwide. Our team always reaches out to any platform involved in data leaks and breaches as soon as the vulnerability is discovered. This is done prior to publishing any report in order to ensure the breach is secured and the users whose data was exposed are safe from any harm.