- Cybernews reveals massive leak from Spanish and Austrian hospitality platforms
- The attacker stole data via compromised accounts, revealed 6.5 GB on open server
- Nearly 5 million users affected, with names, emails, phone numbers, birth details and IDs collected
Millions of records containing personally identifiable data were exposed on the Internet when a cybercriminal who stole them left them on an open server without passwords or other forms of protection.
It was found by security researchers from Cyber newswho described their findings as a “massive operation” and a leak of “staggering” scale.
The data was stolen from Spanish and Austrian hospitality platforms such as Chekin (a Spain-based automated check-in service) and Gastrodat (an Austrian hotel management software provider).
The article continues below
Millions are affected
The attacker apparently compromised 527 accounts belonging to both hotels and hosts and used them to access booking systems across the affected providers. They then used automated Python scripts to pull data from the platform’s APIs. These scripts continuously collected booking and guest information and sent it to the attacker’s server, likely relaying it in real time via Telegram.
The server itself was not protected, which is how Cybernews managed to pick it up. The researchers said it contained around 6.5GB of files with a “massive trove” of personal data.
They said that a total of nearly five million users were affected by this incident. By extracting data from more than 170 facilities worldwide, the criminals pulled information on around 400,000 separate bookings, retrieving dates of stay, booking IDs, guest names, property addresses and internal security flags used by accommodation platforms.
They also obtained people’s full names, phone numbers, email addresses, dates and places of birth and, in some cases, ID document information.
Looking at individual platforms, Cybernews found that Gastrodat details contain 361,000 booking records out of a total of 11.6 million records, including 4.9 million unique email addresses. The Chekin data, on the other hand, contains 311,400 records with 133,900 unique emails and 253,000 ID document numbers.
The list of all compromised accounts, their credentials, email addresses and JWT tokens were also on the server, along with identifiers linking each account to specific booking platforms.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
