CouchSurfing investigates data breach after 17m user records appear on hacking forum

EXCLUSIVE: CouchSurfing working with law enforcement and security firm to investigate incident.
Written by Catalin Cimpanu, Contributor
Image: Inside Weather, CouchSurfing

CouchSurfing, an online service that lets users find free lodgings, is investigating a security breach after hackers began selling the details of 17 million users on Telegram channels and hacking forums.

The CouchSurfing data is currently being sold for $700, ZDNet has learned from a data broker, a person who buys and sells hacked data for profit on the hacking underground.

The data broker, who requested anonymity for this article, was not able to identify the hacker but said the CouchSurfing data, which first appeared in private Telegram channels last week, has been advertised as being taken from CouchSurfing's servers earlier this month, in July 2020.

No passwords leaked

ZDNet received a small sample of the data. The sample included user details such as user IDs, real names, email addresses, and CouchSurfing account settings.

User passwords were not included, although it is unclear if hackers got their hands on passwords and simply chose not to share them.

Reached out for comment last night, a CouchSurfing IT staffer did not immediately provide an on-the-record statement but said that the company has already engaged with a cyber-security firm to investigate the breach, along with law enforcement agencies.

While the CouchSurfing data was initially shared in private Telegram channels, this week, the company's data has slowly made its way onto more public hacker forums, including the infamous RAID Forum, the go-to place for buying and selling stolen databases on the public internet.


CouchSurfing is currently ranked as one of the top 11,000 most popular websites on the internet, according to Amazon's Alexa traffic ranking. The service, founded in 2004, lists 12 million registered users on its site, but the company has purged inactive users a few years back when it listed a total of 15 million registered users, which would explain why hackers are currently selling 17 million user records.

The impact of the CouchSurfing breach is lower than other security incidents at other companies, as password information was not included. This means that the CouchSurfing data can't be used to as part of credential stuffing botnets that take leaked credentials and attempt to break into a user's accounts at other online services.

Instead, the CouchSurfing user emails can be used for spam lists by spam and malware distribution operations.

A theory shared by the data broker with ZDNet is that the CouchSurfing data could have originated from a misplaced backup file, as most companies regularly back up their user databases and don't usually include password strings in their backups. Furthermore, most backup files are also stored in cloud hosting environment that sometimes gets exposed online by accident, in misconfigured storage mediums, or after firewalls or VPNs go down, exposing a company's internal infrastructure on the public internet.

The biggest Internet of Things, smart home hacks of 2019

Editorial standards