Cybernews research has uncovered a massive operation that was siphoning booking data from Spanish and Austrian hospitality platforms. Millions of hotel goers may have been exposed.
Our team has discovered a leaking server that exposed a large-scale operation targeting the hospitality sector, affecting nearly 5 million users.
The data leak was uncovered on March 24th, 2026, when the team stumbled upon a server belonging to an unknown threat actor. The server contained roughly 6.5GB of files with a massive trove of personal data.
Python scripts also discovered on the server were designed to harvest booking data from widely used accommodation management platforms. The affected platforms include Chekin, a Spain-based automated check-in service, and Gastrodat, an Austrian hotel management software provider.
According to the team, data was extracted from over 170 facilities worldwide.
What details did the Chekin and Gastrodat data leak expose?
Our researchers discovered a massive amount of personal guest information and booking data being stored on the leaking server. These entries span over 173 properties and individual hosts, totaling 400,000 separate bookings.
Records related to individual bookings contain:
- Stay dates
- Reservation IDs
- Guest names
- Property addresses
- Internal safety flags used by accommodation platforms
Meanwhile, the dataset with personal customer details reveals the personally identifiable information of nearly 5 million individuals. Our researchers found personal identifiers that put the users of these platforms at risk. The leaked information includes:
- Full names
- Phone numbers
- Email addresses
- Dates and places of birth
- In some cases, ID document details
The scale of the leak is staggering. For example, leaked Gastrodat details include 361,000 booking records totaling 11.6 million entries. According to our team, the dataset includes 4.9 million unique email addresses.
The leaked Chekin data adds another 311,400 records, with 133,900 unique emails and 253,000 ID document numbers.
Whose accounts were compromised?
The threat actor was likely operating through 527 compromised accounts belonging to hotels and hosts to access booking systems across the affected providers. The list of all compromised accounts was also stored on the server.
The leaked list includes credentials, such as email addresses, plain-text passwords, and JWT tokens, along with identifiers linking each account to specific booking platforms.
The emails are a mix of personal accounts, likely belonging to individual property hosts, and emails with business domains. Such a division of leaked emails suggests that both private landlords and professional operators were impacted.
Threat actors were harvesting data automatically
What stood out to researchers was not only the scale of the data exfiltrated, but the tooling behind it.
The server contained Python scripts that automatically extracted data from booking APIs. These scripts include hardcoded API endpoints and keys linked to both the Chekin and Gastrodat systems.
Multiple scripts also contain Telegram API, bot tokens, and chat numbers, suggesting that stolen data was likely being forwarded in real time to external channels as it was collected.
Alongside the scripts, extraction logs, and structured dumps of guest and booking data were also discovered.
Heightened risk of social engineering attacks
While the leaking server belongs to an unidentified threat actor, it is impossible for the companies to secure their data on their end. Cybernews has reached out to Chekin and Gastrodat for comment, but has not yet received a response.
“This incident highlights what can happen when a person’s credentials get leaked and how a seemingly small number of leaked accounts can yield dramatically larger datasets that could be exploited further,” our research team said.
For guests, the exposed data can increase the risk of highly targeted phishing, identity theft, and fraud attempts, especially given the inclusion of identity documents and contact details.
For accommodation providers, the fallout may extend beyond security. The involvement of widely used hospitality platforms means reputational damage could ripple across the sector, raising questions about authentication practices and the security of third-party integrations.
“Both the general public and companies that provide similar services would be encouraged to implement stronger authentication practices, such as MFA,” our researchers concluded.
The hospitality sector is a target
The discovery of data-extraction machinery from two European hospitality platforms fits into the broader context of attacks against the sector. Hotel booking platforms are tempting targets for attackers, as stolen data could be used in phishing attacks.
Phishing is especially effective when attackers know the victims’ exact names, travel dates, and reservation numbers. With such data in hand, they can craft convincing phishing schemes and gain victims’ trust to deliver malicious payloads. Such cases are being seen in the wild.
Securonix researchers previously reported a malicious campaign likely targeting the European hospitality sector. According to the report, attackers are luring victims with fake Booking.com reservation emails.
On phishing sites, users are tricked into using a technique known as ClickFix, which prompts victims to copy and paste a command into their computer’s Run box. The installed malware gives attackers full remote access to the device, allowing them to log keystrokes.
When hospitality platforms get breached, a trove of user data can be quickly exploited.
Recently, hospitality giant Booking.com reported a breach, stating that hackers accessed customer reservation data and exposed travel details tied to upcoming trips.
The breach is already sparking a wave of phishing attacks, as dozens of customers are reporting fake emails and WhatsApp messages claiming to be from the booking site. This is particularly concerning given that Booking.com branding is already frequently exploited in phishing scams.
