Cybernews researchers have uncovered an active exfiltration operation siphoning guest booking data from two major European hospitality platforms. The operation, discovered on March 24, 2026, targeted Spain-based Chekin and Austrian provider Gastrodat, compromising nearly 5 million guest records across 173 properties worldwide. The stolen data, totaling 6.5GB, was being streamed live to Telegram channels by an unidentified threat actor.

What Happened

Cybernews stumbled upon an exposed server belonging to an unknown threat actor that contained a fully operational data harvesting pipeline. The server housed Python scripts purpose-built to extract booking records from Chekin, an automated check-in platform, and Gastrodat, a hotel management software provider. The actor gained access through 527 compromised hotel and host accounts, using stolen credentials to authenticate against the platforms' booking systems. A full list of these compromised accounts, including plaintext passwords and JWT tokens, was stored alongside the stolen data on the server. The operation spanned over 170 facilities globally, extracting records in bulk and forwarding them to Telegram for real-time distribution or sale.

What Was Taken

The exfiltrated dataset is extensive and breaks down across two categories.

Booking records from both platforms include stay dates, reservation IDs, guest names, property addresses, and internal safety flags used by the accommodation platforms. In total, over 400,000 separate bookings were harvested.

Personal guest data is far more damaging. The dataset contains full names, phone numbers, email addresses, dates and places of birth, and in many cases, identity document numbers. The Gastrodat portion alone accounts for 361,000 booking records containing 11.6 million individual entries and 4.9 million unique email addresses. The Chekin data adds another 311,400 records with 133,900 unique emails and 253,000 government ID document numbers.

The combination of identity documents with travel dates and property addresses creates a uniquely dangerous dataset for targeted social engineering, identity fraud, and physical security threats.

Who Was Compromised

The 527 breached accounts belong to a mix of professional hotel operators and individual property hosts. The leaked credential list includes both business-domain email addresses tied to hotel chains and personal email accounts likely belonging to private landlords. This suggests the threat actor cast a wide net, compromising both enterprise and small-scale hospitality operators to maximize data yield. Every guest who booked through any of the 173 affected properties is potentially exposed.

Why It Matters

This incident highlights a growing pattern: threat actors are targeting hospitality middleware rather than the hotels themselves. Platforms like Chekin and Gastrodat sit at a data aggregation chokepoint, processing guest information for hundreds of properties simultaneously. Compromising a single platform account yields data at scale that would otherwise require breaching each hotel individually.

The use of Telegram as a real-time exfiltration channel also signals operational maturity. Data streamed to Telegram is immediately accessible to buyers and co-conspirators, reducing the attacker's need to maintain persistent infrastructure and making takedowns more difficult.

For defenders, the presence of plaintext passwords and JWT tokens in the compromised account list underscores that credential hygiene at the property level remains critically weak. A single reused or weak password on a hotel management portal can expose thousands of guests.

The Attack Technique

Based on Cybernews' findings, the threat actor operated a server running custom Python scripts designed to interface directly with the Chekin and Gastrodat platforms. The attack chain follows a credential-stuffing or credential-theft model: the actor amassed 527 valid account credentials for hotel operators on these platforms, then used automated scripts to authenticate and bulk-extract booking and guest data through the platforms' legitimate interfaces.

The harvested data was organized into structured files on the server and funneled to Telegram channels. No exploitation of a software vulnerability has been reported. This was an access-abuse operation, leveraging valid credentials to extract data through normal platform functionality, making it difficult for the platforms to distinguish from legitimate use without behavioral analytics.

What Organizations Should Do

• Audit third-party platform credentials immediately. Any hotel or host using Chekin or Gastrodat should rotate all passwords and revoke active JWT tokens. Assume compromise if credentials were reused across services.
• Enforce multi-factor authentication on all hospitality management platforms. The 527 compromised accounts strongly suggest MFA was absent or bypassed. MFA on property management portals should be mandatory, not optional.
• Implement anomaly detection on API and portal access. Bulk data extraction through legitimate credentials leaves behavioral signals: unusual login times, high-volume data pulls, access from unfamiliar IPs. Platforms must monitor for these patterns.
• Notify affected guests proactively. With 253,000 ID document numbers and 4.9 million email addresses exposed, affected individuals face elevated phishing and identity fraud risk. Timely notification allows guests to freeze credit, monitor accounts, and watch for targeted scams referencing their travel details.
• Review data minimization practices. Hospitality platforms should evaluate whether they need to retain government ID numbers, birth dates, and other sensitive PII beyond the check-in window. Data that is not stored cannot be stolen.
• Monitor Telegram channels and dark web markets for leaked data. Threat intelligence teams should actively search for the exfiltrated datasets to assess distribution scope and identify secondary exploitation.

Sources: Booking platforms hit in massive data theft affecting 5 million | Cybernews