CouchSurfing’s email distribution system was breached before messages ostensibly promoting a rival hospitality exchange were sent to many of its one million members.
The email headed "Site Improvements" might appear on casual inspection to prompt recipients towards rival paid-for service Airbnb.
CouchSurfing hosts and guests do not exchange money, but rather exchange offers of hospitality in their home countries.
The link given was not properly formatted and may have contained malicious code, according to a thread on Couchsurfing’s discussion forum.
Indications are that the attempted XSRF attack (cross-site request forgery) was not successful. In a statement on its support site, Couchsurfing "apologised for any confusion" the incident may have caused.
It added that "member data was not exposed" and reassured members that it had "addressed the site vulnerabilities the email attempted to expose".
El Reg understands that the offending email was written by an unauthorised user and not by anyone at Couchsurfing’s headquarters. The firm declined to address our query on whether or not the offending emails pushed malicious code. ®