Millions of hotel goers may have been exposed after hackers steal data and leak it on Telegram

News
By published

Hundreds of accounts were compromised

Suitcase in a hotel room
(Image credit: Getty Images)
  • Cybernews uncovers massive leak from Spanish & Austrian hospitality platforms
  • Attacker stole data via compromised accounts, exposed 6.5GB on open server
  • Nearly 5 million users affected, with names, emails, phone numbers, birth details, and IDs harvested

Millions of records containing personally identifiable data were exposed on the internet when a cybercriminal who stole them left them on an open server, without a password or any other means of protection.

It was found by security researchers from Cybernews, who described their findings as a “massive operation” and a leak of “staggering” scale.

The data was being stolen from Spanish and Austrian hospitality platforms, such as Chekin (a Spain-based automated check-in service) and Gastrodat (an Austrian hotel management software provider).

Article continues below

Millions are affected

The attacker apparently compromised 527 accounts belonging to both hotels and hosts, and used them to access booking systems across the affected providers. They then used automated Python scripts to pull data from the platforms’ APIs. These scripts continuously collected booking and guest information and sent it to the attacker’s server, likely forwarding it in real time via Telegram.

The server itself was not protected, which is how Cybernews managed to pick it up. The researchers said it contained roughly 6.5GB of files, with a “massive trove” of personal data.

They said that in total, almost five million users were affected by this incident. By extracting data from more than 170 facilities worldwide, the miscreants pulled info on around 400,000 separate bookings, grabbing stay dates, reservation IDs, guest names, property addresses, and internal safety flags used by accommodation platforms.

They also grabbed people’s full names, phone numbers, email addresses, dates and places of birth and, in some cases, ID document details.

Looking into individual platforms, Cybernews found that Gastrodat details contain 361,000 booking records totaling 11.6 million entries, including 4.9 million unique email addresses. The Chekin data, on the other hand, contains 311,400 records, with 133,900 unique emails and 253,000 ID document numbers.

The list of all compromised accounts, their credentials, email addresses, and JWT tokens, were also on the server, together with identifiers linking each account to specific booking platforms.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.