Cybernews researchers have uncovered a large-scale data theft operation targeting two major European hospitality platforms: Chekin, a Spain-based automated check-in service, and Gastrodat, an Austrian hotel management software provider. Approximately 5 million guest records, including identity documents, were exfiltrated from over 170 properties worldwide and fed live into Telegram channels. The leaking server containing the stolen data and the attacker's tooling was discovered on March 24, 2026.

What Happened

An unknown threat actor compromised 527 hotel and host accounts across the Chekin and Gastrodat platforms. Using those credentials, the attacker deployed Python-based harvesting scripts to systematically extract booking and guest data from both platforms. The stolen data was staged on an exposed server and simultaneously streamed to Telegram, enabling near-real-time distribution. The server, totaling roughly 6.5GB of files, also contained the attacker's full credential list, scraping scripts, and exfiltrated datasets, providing researchers with an unusually complete view of the operation.

What Was Taken

The breach exposed two categories of data across 400,000 bookings at 173 properties.

Booking records included stay dates, reservation IDs, guest names, property addresses, and internal safety flags used by the accommodation platforms. The Gastrodat dataset alone contained 361,000 booking records spanning 11.6 million individual entries.

Personal guest data was far more sensitive. The attacker collected full names, phone numbers, email addresses, dates and places of birth, and in many cases, identity document details. The Gastrodat leak yielded 4.9 million unique email addresses. The Chekin leak added 133,900 unique emails and 253,000 ID document numbers. The compromised account list itself contained email addresses, plaintext passwords, and JWT tokens, each linked to a specific booking platform.

Why It Matters

This incident highlights a growing threat pattern: attackers are no longer just targeting hotel chains directly. They are going after the SaaS platforms that hotels depend on for check-in automation and property management. Compromising a single platform account can expose guest data across dozens of properties, making hospitality middleware an efficient, high-yield target.

The inclusion of ID document numbers alongside personal details creates acute identity theft and fraud risk for nearly 5 million individuals. The live exfiltration to Telegram also signals a shift toward instant monetization and distribution, reducing the window defenders have to contain a breach before data reaches criminal markets.

For the hospitality sector specifically, this breach erodes the trust guests place in digital check-in workflows, a category that expanded significantly post-pandemic.

The Attack Technique

The attacker's operational footprint, exposed on the leaking server, points to a credential-based campaign rather than a platform vulnerability exploit. The 527 compromised accounts were a mix of personal email accounts belonging to individual property hosts and business domain emails from professional hotel operators.

Once authenticated, the attacker used custom Python scripts to interact with Chekin and Gastrodat APIs or interfaces, automating the extraction of booking records and guest PII at scale. The presence of JWT tokens alongside plaintext passwords suggests the attacker harvested both initial credentials and session tokens, enabling persistent access even if passwords were rotated.

The credential source remains unconfirmed. Likely vectors include credential stuffing from prior breaches, phishing campaigns targeting property managers, or infostealer malware logs. The breadth of compromised accounts across multiple countries and property types is consistent with large-scale credential stuffing against reused passwords.

What Organizations Should Do

Sources: Booking platforms hit in massive data theft affecting 5 million | Cybernews