Cyber Incident Victim: CouchSurfing

In July 2020, CouchSurfing initiated an investigation following the appearance of approximately 17 million user records on a hacking forum. The data, offered for sale at $700 by a broker, included user IDs, real names, email addresses, and account settings but did not contain passwords. The company confirmed it was working with law enforcement and a cybersecurity firm to assess the incident. Evidence suggested the breach originated from a misplaced backup file exposed in cloud storage, though the exact timing of the exposure remained unspecified. The leaked dataset exceeded CouchSurfing’s reported 12 million active users at the time, indicating it likely included historical or inactive accounts. Initial reports noted the data sample’s circulation among threat actors before broader dissemination.

The compromised records subsequently appeared on public forums like RAID Forum, expanding accessibility beyond private sales. CouchSurfing’s engagement with external experts aimed to determine the breach’s root cause and scope, though no technical specifics about the cloud storage misconfiguration were disclosed. Impacts centered on potential spam or phishing campaigns leveraging exposed emails, as the absence of password data reduced immediate credential risks. The company did not publicly confirm whether the breach affected current or former users exclusively. Law enforcement involvement focused on tracking the data’s distribution, but no arrests or attribution details were provided. The incident underscored operational risks associated with cloud storage management, though CouchSurfing’s remediation steps beyond investigative partnerships remained unelaborated in available reports.