Hotel Guest Data Breach Exposes 5 Million People

Hotel Guest Data Stolen and Leaked on Telegram in Real Time

Security researchers at Cybernews have uncovered a large-scale data theft operation targeting hotel guests across multiple countries. The attack compromised more than 500 accounts on hospitality management platforms, exposing the personal information of nearly 5 million travelers worldwide. What makes this breach particularly alarming is not just the scale, but the method of distribution: the stolen data was being leaked in real time through Telegram channels while simultaneously being stored on an unprotected server.

The targeted platforms include Spain-based Chekin and Austria-based Gastrodat, both of which are used by hotels and property managers to handle guest check-ins and administrative data. Hackers used automated scripts to systematically harvest guest names, email addresses, phone numbers, and government-issued ID details from compromised accounts.

How the Attack Worked

The operation relied on credential compromise rather than a single catastrophic breach of one platform. By gaining access to over 500 individual property management accounts, the attackers were able to pull guest data from each one using automated tools. This kind of attack is sometimes called credential stuffing or account takeover, where stolen or weak login credentials are used to access legitimate systems.

Once inside, the scripts scraped whatever personal data the accounts contained, including the kind of information guests are required to provide when checking into a hotel: full legal names, contact details, and identification documents. That combination of data is particularly valuable to criminals because it can be used for identity theft, phishing campaigns, SIM swapping, and other forms of fraud.

The decision to distribute the stolen data through Telegram, rather than selling it on traditional dark web marketplaces, reflects a broader shift in how cybercriminals operate. Telegram has increasingly become a distribution channel for leaked data due to its ease of use and relatively permissive content moderation.

What This Means For You

If you have stayed at a hotel that uses Chekin or Gastrodat for guest management at any point, your personal information may be part of this dataset. Even if you are not directly affected, this incident illustrates a broader vulnerability that travelers face: when you check into a hotel, you hand over sensitive personal data with very little visibility into how it is stored, who can access it, or how securely those systems are managed.

The data exposed here goes beyond a simple email and password combination. Government ID details combined with a full name, phone number, and email address give bad actors enough to impersonate you, open accounts in your name, or craft highly convincing phishing messages tailored specifically to you.

Hotels and property management platforms are attractive targets precisely because they collect rich personal data from large numbers of people, often with less rigorous security infrastructure than financial institutions or major tech companies.

Steps You Can Take to Reduce Your Exposure

You cannot always control what happens to your data once you hand it over to a business, but you can take steps to limit the damage if something goes wrong.

Monitor your accounts and identity. If you travel frequently, consider using an identity monitoring service that alerts you when your personal information appears in known data breaches or on the open web.

Use unique email addresses for travel bookings. Services that allow you to create alias email addresses mean that even if one account is compromised, the exposure is contained.

Be skeptical of unsolicited contact. If you receive an email, text, or phone call that references a recent hotel stay, treat it with caution. Attackers use details like this to make phishing attempts more convincing.

Secure your devices and connections when traveling. Public networks in hotels and airports are common entry points for data interception. Using a VPN when connecting to public WiFi encrypts your traffic and reduces the risk of your activity being monitored or intercepted.

Review what data platforms hold about you. In many countries, particularly within the European Union, you have the right to request what personal data a company holds and ask for it to be deleted. If you have stayed at properties using platforms like Chekin or Gastrodat, you can contact those platforms directly.

This breach is a reminder that your personal data travels with you, often in ways you cannot see or control. Staying informed about where your information goes, and taking practical steps to limit your exposure, is the most effective defense available to ordinary travelers right now.