- Cybernews discovers massive leak from Spanish and Austrian hotel platforms
- Attacker stole data via compromised accounts and exposed 6.5 GB on open server
- Nearly 5 million users affected, with names, email addresses, phone numbers, birth details and IDs harvested
Millions of records containing personally identifiable data were exposed on the Internet when a cybercriminal who stole them left them on an open server, without a password or any other means of protection.
It was discovered by security researchers from Cybernewswho described its findings as a “massive operation” and a leak of “staggering” scale.
The data was stolen from Spanish and Austrian hotel platforms, such as Chekin (an automated check-in service based in Spain) and Gastrodat (an Austrian hotel management software provider).
Article continues below
Millions of people are affected
The attacker apparently compromised 527 accounts belonging to both hotels and hosts, and used them to access the reservation systems of the affected providers. They then used automated Python scripts to extract data from the platforms’ APIs. These scripts continuously collected information about reservations and customers and sent it to the attacker’s server, likely transmitting it in real time via Telegram.
The server itself was not protected, which is how Cybernews managed to recover it. Researchers said it contained around 6.5GB of files, with a “massive trove” of personal data.
They indicated that in total, almost five million users were affected by this incident. Mining data from more than 170 properties around the world, the attackers extracted information on approximately 400,000 separate reservations, extracting stay dates, booking IDs, guest names, property addresses and internal security metrics used by accommodation platforms.
They also captured people’s full names, telephone numbers, email addresses, dates and places of birth and, in some cases, details of their identity documents.
Looking at individual platforms, Cybernews found that Gastrodat’s details contain 361,000 booking records totaling 11.6 million entries, including 4.9 million unique email addresses. The Chekin data, meanwhile, contains 311,400 records, with 133,900 unique emails and 253,000 identity document numbers.
The list of all compromised accounts, their IDs, email addresses and JWT tokens were also on the server, along with the IDs linking each account to specific booking platforms.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
