Customize your experience by selecting your role:
Owner, Property Manager, or Traveler
Several of my guests have reported receiving the following email from VRBO. The hack of my account occurred two weeks ago. One guest had inquired as far back as August! For the record, while VRBO would like to believe the scammers hacked my email account, I contend that VRBO itself was hacked. Anyone involved in such an incident, whatever the cause, should be aware that these emails might go out to your people:
---------- Forwarded message ----------
From: VRBO Customer Support <email@example.com>
Date: Wed, Feb 8, 2012 at 00:00 PM
Subject: Urgent Notice – Listing # 00000
Property number: 00000
You recently sent an inquiry for the above referenced property. This property can be found by entering the vacation rental listing number in the search box on the homepage.
It is possible that you may have been affected by a breach of an owner’s or property manager’s account or email account. When we learned of this potential breach we moved promptly to suspend the owner’s or property manager’s listings and put them through a process to reinstate their listings on our site with a revised account.
If you are still interested in this property or if you have booked this property, please recontact this owner or property manager through the inquiry form on the listing, which will route your communication to the revised account. Alternately, you may call the advertiser directly if a phone number is displayed on the listing. Please be careful about your means of payment and we advise against sending any payment details (such as credit card information) by email.
As always, please feel free to contact us should you have any questions.
VRBO.com Trust and Security
I think it's a good thing that these go out to people that have inquired on a property/email that was hacked. You admit that your account was in fact hacked. It's the right thing to do for the safety and security of the renters.
While I agree with Sophie that people should be informed, my problem with the way this is being handled is that the owner is shut down and NOT notified. They really need to call the home owner immediately and help them get everything secure to open their site back up. It took me a week to discover my sites were gone and then another week working with the security department to get everything fixed and back up.
To address your concerns, if someone other than the owner contacts us about a potential hack to the owner's email account, we contact the owner via phone within 24 hours (as email is not secure) and take their listing down until we reach them. We let recent inquirers know they should contact the owner via phone.
If the owner lets us know they have been hacked (as in this case), we still send a notice to recent inquiries letting them know they should phone the owner at the number on their listing as a safety measure (per the email above).
I hope this helps clarify!
I take it that you are able to match my Homeaway Community ID with my listing. Good to know.
To clarify: In this case I merely posted this message on the Homeaway Community forum. I'll grant you that qualifies as the owner letting you know something happened. Unfortunately, there was no further communication between Homeaway and me, and it was a guest who reported to me more than a week later that my pages were down. I still don't know when they were taken down. If the guest had not tipped me off, my listings could still be down, for all I know. I received no notification or request to change security information. It was only after I called that I was told what I needed to do. Then, after all the dust had settled, and even though it was pretty clear when the problems began (in late January), you guys sent the email above, without notice to me, to people who had inquired as long ago as August. No great harm done, but since we are clarifying things...
I apologize that our team dropped the ball in the process here - we've had a high volume of issues reported lately, so be assured we're working on improving this! Our head of Trust and Security has seen this thread, so I know she's addressing it with her team.
Can you be absolutely certain that these breaches have nothing to do with your website and the way it operates? It seems as though this is happening an awful lot, across the country and across your different network of websites. While I understand in the end the property owner's email is the one that has been compromised, how is your security team so sure that none of this has to do with your website?
I just found that the email address that duped me (which was reported to your security team) has also just been reported on another thread in this community forum nearly a week after my incident.
It's hard to believe that you have not taken more appropriate steps to help property owners fix and/or prevent this sort of thing happening. This seems to be an increasing problem but yet your company seem more inclined to turn a blind eye and wash your hands of it - at the same time blaming the owner of the email.
I really think your security and web team need to take a closer look at the web design, security, and other available options to make this a more secure experience.
It is lamentable this phishing scam continues unabated and HomeAway seems unable to go all the way to put a stop to this when it is clearly in their ability to do so. The measures they have taken so far are negligible and rated very poorly in arresting the problem, that is why this phishing scam continues after six plus months now, and the Scammers are laughing their heads off all the way to the bank and wishing HomeAway won’t take this seriously and continue with their ineffectual security practices.
It’s about time HomeAway take a more serious look at this phishing scam and come up with a foolproof Inquiry System guaranteed impregnable to phishing attempts.
One method I’ve alluded to in another thread is to use an annonymized (cryptic) email address for both the Inquirer and Owner on both their first email to each other (Inquiry & Owner’s response). Subsequent emails can be directly to each other with email addresses revealed. This is how Craigslist is able to secure their Email Inquiry, so why not HomeAway?
Please take this seriously HomeAway! If news of phishing scam victim continues, it means your security measures are not working. When will you ever accept this incontrovertible fact?
Our VRBO account was hacked this week and VRBO refuses to be accountable. Their letter which went out to all of our customers & inquiries tried to blame us I contacted our account manager at VRBO because we had received several emails that were very concerning. We advertise 30 properties! That is a lot of advertising dollars, yet no one would call me back today. A third party hacked into the VRBO system and retrieved inquiries on several of our properties. Then, the intruder sent an email stating that the property was available and to send them $3000. Without telling us, VRBO sent out a bulk email today to hundreds of our inquiries, which said that OUR email account may have been compromised. “property manager may have unknowingly and inadvertently had their
email account compromised” This problem is on THEIR WEBSITE! Our email account is fine! But VRBO HAS SECURITY ISSUES!!!! They recently installed new software and they have had problems since then. We have had non stop calls from clients who are panicking.
The next problem, was even more embarrassing. In their “Urgent Notice”, they gave out an incorrect telephone number for our office. As it turns out this is some illicit phone sex number! After several customers called about it, I called it to see what it was. OH MY GOODNESS! ITS REALLY BAD! Furthermore, because I called from my cell phone, I then received several illicit text messages!!! So did every single customer of ours that dialed that wrong number from a cell phone.
I called and emailed VRBO today with no response. They are a monolopy and they know it. Something needs to be done legally to protect our consumer rights.
VRBO has been a trusted advertising site for many years and we have used them exclusively for marketing our properties for many years. But their mistakes on our account and lack of security are inexcusable right now. THERE IS ZERO CUSTOMER SERVICE! The damage that has been done to our credibility is serious, and they are to blame. Unless and until we can receive complete assurances from them, as well as, accountability for the harm they have done, we will keep our listings off line.
Can you explain how you are sure that the VRBO account was hacked? It's more common that email is hacked -- I'm not saying it's impossible to hack VRBO, but it's less common than email because they will ask a security question if someone tries to log in from a new IP address.
Here's a way to check -- look at an inquiry in your dashboard (if you can get to your dashboard) that came in while the hacking was underway. Did that inquiry make it to your email's inbox? If yes, you may be right that VRBO was hacked. But if you never saw it in your inbox, it would be a classic email hack with the bad guy logging in to your email and setting a filter or redirecting your VRBO inquiries to his account so that you never see them in your inbox. Check your email for any odd filters that could have redirected email.
I'm so sorry this is happening to you -- I hope it gets cleared up soon and no travelers were scammed.
Yes we did receive the email in our inbox and we replied to them.
Some of them already had reservations!
Which is why I think VRBO was hacked.
After 2 days I finally got to talk to a customer service rep!!!
Wow, it seems you may be right that the hacking was through VRBO instead of your email. I hope this is a rare thing and that it gets straightened out quickly.
Think for a moment and try to remember whether you (or your biz colleague) ever received an email from HA-VRBO Customer Service ...on the topic of "your problem signing into your account"? I ask because I just read another thread a moment ago in which two Community Forum members stated they received such emails ...in the middle of the night...supposedly from Customer Service referring to "signing in" problems.....only the members never reported "signing in problems" to Customer Service!
While we wait for someone at CS to clarify whether they sent such emails out....I'm wondering if you can recall ever receiving an email from CS ... and if so, did you respond to it....?....did you get any assistance from someone allegedly from CS to log into your account?