Cybernews researchers have uncovered a large-scale data theft operation targeting Spanish and Austrian hospitality platforms Chekin and Gastrodat, exposing personal information of nearly 5 million hotel guests. The leak, discovered on March 24th, 2026, stemmed from an exposed server containing 6.5GB of stolen records, custom harvesting scripts, and credentials for 527 compromised hotel and host accounts. Data was extracted from more than 170 accommodation facilities worldwide.

What Happened

On March 24th, 2026, Cybernews researchers stumbled upon an exposed server belonging to an unidentified threat actor. The server held roughly 6.5GB of data along with Python scripts engineered specifically to scrape booking records from widely used accommodation management platforms. The two primary targets were Chekin, a Spain-based automated check-in service, and Gastrodat, an Austrian hotel management software provider. The operation pulled guest and reservation data from over 173 properties and individual hosts, totaling approximately 400,000 separate bookings. Alongside the victim data, the server also exposed the actor's own toolkit and a full list of the credentials being abused to query the targeted platforms.

What Was Taken

The dataset represents one of the largest hospitality sector leaks uncovered in 2026. Booking records exposed stay dates, reservation IDs, guest names, property addresses, and internal safety flags used by the accommodation platforms. The personal customer dataset exposed the identities of nearly 5 million individuals, including full names, phone numbers, email addresses, dates and places of birth, and in some cases ID document details.

Breaking the volume down by platform: leaked Gastrodat data includes 361,000 booking records amounting to 11.6 million total entries, with 4.9 million unique email addresses. Leaked Chekin data adds 311,400 records, with 133,900 unique emails and 253,000 ID document numbers. Additionally, credentials for 527 compromised hotel and host accounts were stored on the server, including email addresses, plain-text passwords, and JWT tokens tied to specific booking platforms.

Why It Matters

This incident weaponizes the trust relationship between booking platforms and their hotel clients. Because the threat actor operated through legitimate compromised accounts rather than exploiting a platform-side vulnerability, malicious activity likely blended in with routine API usage, making detection extremely difficult. The combination of full names, birth details, national ID numbers, and travel itineraries is a premium dataset for identity fraud, targeted phishing, physical stalking, and business email compromise against property owners.

The leak also exposes a structural weakness in the hospitality vertical: guest data flows through multiple third-party SaaS platforms, each with its own credential posture, and a single compromised host account can expose thousands of guests who never directly interacted with the breached provider. For regulators, the inclusion of EU citizens' identity documents places this squarely in GDPR Article 33 breach notification territory.

The Attack Technique

The threat actor did not appear to exploit Chekin or Gastrodat directly. Instead, the operation relied on 527 compromised accounts belonging to hotels, property managers, and individual hosts. The mix of personal and business-domain emails in the compromised list suggests the credentials were harvested through infostealer malware, credential stuffing, or phishing campaigns targeting the hospitality sector, rather than a single supply chain compromise.

Once in possession of valid credentials and JWT tokens, the attacker ran custom Python scripts to systematically enumerate and export booking records from each platform's authenticated endpoints. Storing plain-text passwords alongside live JWTs indicates the actor maintained long-lived access and likely refreshed sessions as tokens expired. The actor's own operational security failure, leaving the collection server publicly accessible, is what ultimately surfaced the campaign.

What Organizations Should Do

1. Hospitality platforms and their hotel clients should immediately rotate all account credentials and invalidate active JWT sessions, then enforce mandatory multi-factor authentication for every host and staff account accessing booking APIs.
2. Audit API and login telemetry for anomalous bulk export patterns, unusual geolocations, or high-volume session token reuse since at least early 2026, and correlate against the indicators available through Cybernews disclosure channels.
3. Scan endpoints used by property managers for infostealer malware (RedLine, LummaC2, Vidar families), which is the most probable credential acquisition vector for a campaign of this footprint.
4. Platform operators should implement rate limiting and behavioral anomaly detection on guest data export endpoints, and cap bulk queries per account per day.
5. Affected guests should be directly notified under GDPR Article 34, and offered identity monitoring, particularly those whose government ID numbers were exposed via Chekin.
6. Review and shorten JWT token lifetimes, bind tokens to device or IP fingerprints where feasible, and ensure revocation lists propagate in near real time across platform infrastructure.

Sources: Booking platforms hit in massive data theft affecting 5 million | Cybernews