[{"data":1,"prerenderedAt":112},["ShallowReactive",2],{"article-slug-hospitality-data-leak-exposes-5-million-guests-via-chekin-and-gastrodat":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":26,"sources":27,"events":35,"mitre_techniques":42,"mitre_mitigations":58,"d3fend_countermeasures":72,"iocs":82,"cyber_observables":83,"tags":100,"extract_datetime":103,"article_type":104,"impact_scope":105,"pub_date":110,"reading_time_minutes":111,"createdAt":103,"updatedAt":103},"4f368842-178e-47ee-8afa-b371f0e0e4e7","hospitality-data-leak-exposes-5-million-guests-via-chekin-and-gastrodat","Massive Hospitality Breach: 5 Million Guests' Data Exposed via Leaky Server Tied to Chekin, Gastrodat","Unprotected Server Leaks Personal Data of 5 Million Hotel Guests from Chekin and Gastrodat Platforms","A significant data breach in the hospitality industry has exposed the personal and booking information of nearly 5 million travelers. Researchers from Cybernews discovered an unprotected server operated by an unknown threat actor, which contained 6.5GB of data harvested from Chekin, a Spanish check-in service, and Gastrodat, an Austrian hotel management provider. The data, scraped using compromised hotel accounts, includes full names, contact information, dates of birth, and detailed booking records, placing millions of individuals at high risk of targeted phishing and social engineering attacks.","## Executive Summary\nA misconfigured server has led to the exposure of sensitive data belonging to approximately 5 million hotel guests worldwide. Security researchers at **[Cybernews](https://cybernews.com/)** discovered a 6.5GB database, left open to the internet, containing booking information and personal details siphoned from two hospitality software providers: **Chekin**, based in Spain, and **Gastrodat**, based in Austria. The data was harvested by an unknown threat actor using Python scripts and the compromised credentials of over 500 hotels and hosts. The exposed information includes full names, emails, phone numbers, dates of birth, and in some cases, ID document details, creating a treasure trove for malicious actors planning phishing campaigns and identity theft.\n\n---\n\n## Threat Overview\nThe incident, discovered on March 24, 2026, and reported on April 15, 2026, is not a direct breach of the software vendors but rather a third-party compromise facilitated by credential theft. An unknown threat actor gained access to 527 accounts belonging to hotels and other properties using the Chekin and Gastrodat platforms. The credentials for these accounts, including plaintext passwords and JWT tokens, were found on the same exposed server, suggesting a successful campaign targeting the platforms' clients.\n\nUsing these compromised accounts, the actor deployed Python scripts to continuously scrape booking data. The aggregated dataset included:\n- **4.9 million unique email addresses**\n- **400,000 separate booking records**\n- **11.6 million total data entries**\n\n## Impact Assessment\nThe exposed data is highly sensitive and creates significant risk for the 5 million affected individuals. The compromised dataset includes:\n- **Personal Identifiable Information (PII):** Full names, phone numbers, email addresses, dates and places of birth.\n- **Identity Documents:** Details from ID documents in some cases.\n- **Booking Details:** Stay dates, reservation IDs, guest names, and property addresses.\n\nWhile no direct financial data like credit card numbers was found, the combination of personal and travel information is extremely valuable for attackers. This data enables highly convincing and personalized social engineering attacks.\n\n**Potential Attack Scenarios:**\n1.  **Targeted Phishing:** Attackers can send emails impersonating the hotel or booking platform, referencing legitimate booking details (e.g., \"There's an issue with your upcoming stay at [Hotel Name] on [Date]\") to trick victims into providing payment information or credentials.\n2.  **Identity Theft:** The combination of name, date of birth, and ID details is sufficient to attempt identity theft or open fraudulent accounts.\n3.  **Physical Security Risk:** Knowledge of a person's travel dates can be used to target their empty home for burglary.\n\n## Detection and Response\n- **For Affected Individuals:** Be extremely vigilant about any emails or messages related to past or future hotel stays. Do not click on links or provide personal information. Instead, contact the hotel or booking platform directly through their official website or phone number. Enable multi-factor authentication on all sensitive accounts.\n- **For Hotels Using These Platforms:** Immediately change all passwords for Chekin, Gastrodat, and other management platforms. Review access logs for any signs of unauthorized activity. Notify guests who may have been affected, providing clear guidance on how to stay safe.\n- **For Chekin and Gastrodat:** The vendors should enforce stronger security measures for their clients, such as mandatory multi-factor authentication, password complexity requirements, and monitoring for anomalous account activity like rapid data scraping.\n\n## Mitigation\n**Strategic Recommendations:**\n- **Third-Party Risk Management:** This incident highlights the critical importance of managing security risks associated with third-party software and supply chains. Hotels must vet the security practices of their service providers.\n- **Credential Security:** The use of plaintext passwords and the compromise of 527 accounts underscore the need for strong authentication. All platforms handling sensitive data should mandate **[MFA](https://en.wikipedia.org/wiki/Multi-factor_authentication)**.\n- **Data Minimization:** Organizations should only collect and retain the data that is absolutely necessary for their operations. The less data stored, the lower the impact of a breach.","🏨 DATA BREACH: Personal data of 5 MILLION hotel guests exposed! A leaky server scraped info from Chekin & Gastrodat platforms. Names, emails, booking details leaked. Watch out for targeted phishing scams! 🎣 #DataBreach #Hospitality #CyberSecurity","A massive data leak has exposed the personal and booking information of nearly 5 million hotel guests. An unprotected server was found containing data harvested from Chekin and Gastrodat platforms.",[13,14,15],"Data Breach","Cloud Security","Phishing","high",[18,21,23],{"name":19,"type":20},"Chekin","company",{"name":22,"type":20},"Gastrodat",{"name":24,"type":25},"Cybernews","security_organization",[],[28,32],{"url":29,"title":30,"friendly_name":24,"website":31},"https://cybernews.com/security/hackers-siphon-data-from-5m-hotel-guests-feeding-it-live-onto-telegram/","Hackers siphon data from 5M hotel guests, feeding it live onto Telegram","cybernews.com",{"url":33,"title":34,"friendly_name":24,"website":31},"https://cybernews.com/security/","Latest Security News | Cybernews",[36,39],{"datetime":37,"summary":38},"2026-03-24T00:00:00Z","Cybernews researchers discover the misconfigured and leaking server.",{"datetime":40,"summary":41},"2026-04-15T00:00:00Z","The data leak is publicly reported by Cybernews.",[43,47,51,54],{"id":44,"name":45,"tactic":46},"T1078","Valid Accounts","Defense Evasion",{"id":48,"name":49,"tactic":50},"T1530","Data from Cloud Storage Object","Collection",{"id":52,"name":53,"tactic":50},"T1119","Automated Collection",{"id":55,"name":56,"tactic":57},"T1595","Active Scanning","Reconnaissance",[59,64,68],{"id":60,"name":61,"description":62,"domain":63},"M1032","Multi-factor Authentication","Enforcing MFA on all accounts, especially for hotel staff accessing management platforms, would have made it significantly harder for the attacker to compromise 527 accounts.","enterprise",{"id":65,"name":66,"description":67,"domain":63},"M1018","User Account Management","Regularly auditing accounts, enforcing strong password policies, and monitoring for credential stuffing attacks are crucial for platforms like Chekin and Gastrodat.",{"id":69,"name":70,"description":71,"domain":63},"M1040","Behavior Prevention on Endpoint","API gateways and backend systems should be configured to detect and block anomalous behavior, such as a single account scraping thousands of records in a short period.",[73,77],{"technique_id":74,"technique_name":61,"url":75,"recommendation":76,"mitre_mitigation_id":60},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","The root cause of this breach was the compromise of 527 hotel accounts. The most effective defense against this is multi-factor authentication. Both Chekin and Gastrodat should mandate MFA for all their client accounts, particularly those with administrative or data access privileges. Implementation could involve using authenticator apps (TOTP), SMS codes, or hardware security keys. This single control would have likely prevented the entire incident by stopping the attacker from using stolen credentials to log in and scrape data. For hotels, it is imperative to enable MFA on every administrative platform they use, from property management systems to third-party booking services.",{"technique_id":78,"technique_name":79,"url":80,"recommendation":81,"mitre_mitigation_id":69},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis","The service providers, Chekin and Gastrodat, should implement robust monitoring to detect anomalous data access patterns. A legitimate user might access a few dozen bookings a day; a malicious script will access thousands. By establishing a baseline of normal behavior for each user account, the platforms can automatically flag or block accounts exhibiting scraping behavior. This involves analyzing the volume, frequency, and type of API requests. An alert should be triggered if an account suddenly starts exporting data at a rate far exceeding its historical average. This D3FEND technique acts as a crucial second line of defense when authentication controls fail.",[],[84,90,95],{"type":85,"value":86,"description":87,"context":88,"confidence":89},"command_line_pattern","python scrape_bookings.py","Hypothetical name for a Python script used to scrape data. Monitoring for high-volume, repetitive data access from a single source or script can indicate scraping activity.","Application server logs, API gateway monitoring","low",{"type":91,"value":92,"description":93,"context":94,"confidence":16},"network_traffic_pattern","High volume of outbound API calls from a single client IP","An unusually high number of API requests to fetch booking data from a single account or IP address is a strong indicator of automated data harvesting.","API Gateway logs, Network Flow logs",{"type":96,"value":97,"description":98,"context":99,"confidence":16},"log_source","Cloud Storage Access Logs","Monitoring access logs for publicly accessible or misconfigured cloud storage buckets (like S3 or Azure Blob) can detect unauthorized access.","AWS CloudTrail, Azure Monitor",[13,101,19,22,102,15,24],"Hospitality","PII","2026-04-15T15:00:00.000Z","NewsArticle",{"geographic_scope":106,"companies_affected":107,"industries_affected":108,"people_affected_estimate":109},"global",[],[101],"Nearly 5 million","2026-04-15",3,1776260629688]