Nearly 5 million hotel guests have been exposed after attackers compromised Spanish check-in platform Chekin and Austrian hotel management provider Gastrodat, hijacking 527 hotel and host accounts to exfiltrate 6.5GB of booking data and stream it live to Telegram. The breach, uncovered by Cybernews researchers, spans over 170 hospitality facilities worldwide and was only discovered because the attacker left the stolen trove on an unsecured open server.
What Happened
Security researchers at Cybernews identified a large-scale intrusion against two interconnected hospitality software providers: Chekin, a Spain-based automated guest check-in service, and Gastrodat, an Austrian hotel management platform. The attacker compromised 527 legitimate accounts belonging to hotels and hosts, then leveraged those trusted sessions to scrape guest and reservation data at scale using automated Python scripts.
The stolen data was forwarded in real time to a Telegram channel as the attacker siphoned it, an unusual live-leak approach that turned the exfiltration into a streaming broadcast. Researchers ultimately discovered the operation because the attacker staged the aggregated 6.5GB dataset on an open, unauthenticated server, inadvertently exposing their own loot to the internet.
What Was Taken
The haul is extensive and deeply personal. Gastrodat alone accounted for roughly 361,000 booking records totaling 11.6 million individual entries, while Chekin contributed 311,400 guest records, including approximately 253,000 government-issued ID document numbers.
The exposed fields include:
- Guest full names, email addresses, and phone numbers
- Dates of birth and other birth details
- ID document numbers (passports, national IDs)
- Reservation IDs, stay dates, and property addresses
- Internal safety flags attached to guest profiles
- Account credentials, including JWT tokens usable for session hijacking
Why It Matters
This is not a low-value marketing list. The combination of verified identity documents, travel itineraries, and physical addresses is a near-complete identity theft and fraud toolkit. Criminals can use it for synthetic identity creation, SIM swaps, targeted phishing ("your recent stay at..."), and even physical-world risks such as stalking or targeting travelers known to be away from home.
The leaked JWT tokens raise the stakes further. If any remain valid, they allow attackers to impersonate hotel operators inside the Chekin and Gastrodat platforms, creating a potential secondary wave of compromise. The incident also underscores a recurring blind spot in the hospitality sector: third-party SaaS providers aggregate sensitive data from hundreds of properties, creating a single, high-value target that individual hotels have little visibility into.
The Attack Technique
The operation followed a credential-abuse pattern rather than a traditional exploit chain. The attacker obtained access to 527 hotel and host accounts, the exact initial access vector (credential stuffing, infostealer logs, phishing, or reused passwords) has not been publicly confirmed, but the volume suggests bulk credential sourcing rather than targeted compromise.
Once inside, the adversary deployed automated Python scripts to query each tenant account and pull booking records programmatically, mimicking legitimate API or portal behavior. The stolen records were piped to a Telegram channel in real time, likely for rapid monetization or reputational pressure, before being consolidated onto the misconfigured public server where researchers found them.
What Organizations Should Do
Hospitality operators and any SaaS provider handling guest PII should act on the following:
- Enforce mandatory MFA on all hotel-facing and host-facing portals, and revoke any long-lived sessions or JWTs now. Assume tokens in the leak are burned and rotate signing keys.
- Rate-limit and anomaly-monitor booking exports and API calls per tenant. A single account pulling thousands of reservations in short windows should trigger alerts and auto-throttling.
- Audit credential hygiene against infostealer feeds and breach databases. Force resets for any account whose credentials appear in known dumps.
- Segment tenant data access so that a single compromised hotel account cannot enumerate records beyond its own property, and restrict bulk-export functionality behind step-up authentication.
- Notify affected guests promptly with guidance on ID document monitoring, phishing awareness, and, where applicable, document replacement, especially for the 253,000 individuals whose ID numbers were exposed.
- Harden egress and staging infrastructure reviews internally: the attacker's own operational security failure exposed this leak, but defenders should hunt for similar exfiltration patterns (large outbound transfers to Telegram API endpoints, unfamiliar Python user agents) in their own logs.