Credential-Stuffing Account Fraud on Airbnb
Attackers use leaked email and password combinations to log in to Airbnb accounts, divert host payouts, book stays at victims' expense, or conduct rental fraud using the established trust of a legitimate account.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Airbnb accounts accumulate significant trust currency: verified identity documents, positive reviews, payment methods, and upcoming booking history. A credential-stuffing attacker who successfully logs in to a genuine account can exploit all of this trust instantly — either by posing as a legitimate guest to book stays fraudulently, or by intercepting host payout bank details.
Airbnb's platform is built on mutual trust between strangers. A hijacked guest account with positive reviews is far more likely to be accepted by hosts than a new account. A hijacked host account has payment routing already established, meaning a payout-redirect fraud can funnel real rental income to a mule account before the legitimate host realises.
As with all credential-stuffing attacks, the vulnerability is password reuse: the victim's email and password were leaked from another service entirely, and the attacker simply tests the combination at Airbnb's login.
How this scam works on the Airbnb brand
After gaining access, attackers making guest-side fraud redirect any upcoming bookings to different properties to harvest deposits, or they make new bookings using the victim's saved payment method and cancel them later for cash refunds directed to a different account. More sophisticated attackers book high-value properties for dates far in advance, hoping the charges go unnoticed.
On the host side, the attacker changes the payout bank account to a mule account before the next scheduled payout date. Hosts may not notice for a full monthly cycle. They also alter listing prices temporarily — setting them very low to generate fraudulent bookings quickly, then collecting the income before Airbnb detects the abnormal activity.
Some attackers use the hijacked account's review history to accept other fraudulent-account bookings, creating a closed loop of fake reviews that boosts both accounts' apparent legitimacy on the platform.
Common red flags
- An Airbnb login alert arrives from an unfamiliar device or location that you did not initiate
- Your payout bank account or payment method has been changed without your knowledge
- New bookings appear on your host account at prices you did not set, or guest bookings appear on your account for dates you never selected
- Your account email or password was changed and you did not make that change
- Airbnb sends a verification code you did not request, suggesting a login attempt is underway
- A review appears on your profile for a stay that you know did not happen
How to protect yourself
- Use a unique, strong password for your Airbnb account and enable two-factor authentication via SMS or authenticator app
- Check whether your email has been in a data breach at haveibeenpwned.com and change any reused passwords
- Review your Airbnb payout bank account details, upcoming bookings, and payment methods regularly — especially before expected payouts
- Enable Airbnb login notifications so you are alerted to any new-device sign-in
- Review your saved payment methods in Airbnb and remove any cards you do not actively use
- If you spot suspicious activity, contact Airbnb immediately and ask them to freeze account changes while investigation proceeds
How to report it
- Report account fraud to Airbnb at airbnb.com/help or through the in-app Help Centre; ask for an emergency payout freeze if you are a host
- Report to the FTC at reportfraud.ftc.gov
- File a report with the FBI at ic3.gov if financial loss occurred
- Contact your bank if any fraudulent payment was processed
Frequently asked questions
How does a credential-stuffing attack differ from Airbnb being hacked?
Credential stuffing exploits passwords leaked from other services that the victim reused on Airbnb. Airbnb itself may not have been breached. Using a unique password for Airbnb eliminates this risk entirely.
I am a host and my payout was redirected. Can Airbnb recover it?
Report it immediately to Airbnb. Recovery depends on how quickly you act. Airbnb has a fraud team that investigates host payout fraud. Also contact your bank if funds have already reached the fraudulent account.
Can a hijacked guest account with good reviews cause problems for me as a host?
Yes. Hijacked accounts with established positive reviews are used to book properties because they are more likely to be accepted. If you accept a booking and the guest causes damage or fraud, report it to Airbnb's Resolution Centre and its trust team.