Lodge administration platform Otelier suffered a knowledge breach after risk actors breached its Amazon S3 cloud storage to steal thousands and thousands of company’ private data and reservations for well-known lodge manufacturers like Marriott, Hilton, and Hyatt.
The breach first allegedly occurred in July 2024, with continued entry by October, with the risk actors claiming to have stolen amost eight terabytes of information from Otelier’s Amazon AWS S3 buckets.
In an announcement to BleepingComputer, Otelier confirmed the compromise and mentioned it’s speaking with impacted prospects.
“Our high precedence is to safeguard our prospects whereas enhancing the safety of our techniques to forestall future points,” Otelier instructed BleepingComputer.
“Otelier has been in communications with its prospects whose data was probably concerned. In response to this incident, we employed a workforce of main cybersecurity specialists to carry out a complete forensic evaluation and validate our techniques.”
“The investigation decided that the unauthorized entry was terminated. To be able to assist forestall an identical incident from occurring sooner or later, Otelier disabled the concerned accounts and continues to work to boost its cybersecurity protocols.”
Otelier, beforehand often called MyDigitalOffice, is a cloud-based lodge administration resolution utilized by over 10,000 accommodations worldwide to handle reservations, transactions, nightly stories, and invoicing.
The corporate is or has been utilized by many well-known lodge manufacturers, together with Marriott, Hilton, and Hyatt, whose information is current within the stolen data.
Breached by stolen credentials
The risk actors behind the Otelier breach instructed BleepingComputer that they initially hacked the corporate’s Atlassian server utilizing an worker’s login. These credentials have been stolen by information-stealing malware, which has turn into the bane of company networks over the previous few years.
When BleepingComputer requested Otelier to verify this data, an organization consultant mentioned they may not share any additional feedback on the incident. Nevertheless, BleepingComputer discovered on the Flare risk intelligence platform Otelier worker data that had been stolen by infostealer malware.
The risk actors say they used these credentials to scrape tickets and different information, which contained additional credentials to the corporate’s S3 buckets.
Utilizing this entry, the hackers claimed to have downloaded 7.8TB of information from the corporate’s Amazon cloud storage, together with thousands and thousands of paperwork belonging to Marriott that have been in S3 buckets managed by Otelier. These paperwork embrace nightly lodge stories, shift audits, and accounting information.
Marriott has confirmed to BleepingComputer that Otelier’s cyberattack has impacted them and suspended automated companies whereas Otelier completes its investigation. The corporate stresses that none of its techniques have been breached on this assault.
“As soon as we have been made conscious of this incident involving Otelier, we instantly contacted the seller, which works with quite a few lodge firms, and confirmed that they have been working with cyber safety specialists to analyze a safety incident that impacted their techniques,” a Marriott spokesperson instructed BleepingComputer.
“Marriott has additionally taken applicable precautions, together with suspending the automated companies supplied by Otelier till the completion of their investigation, and people companies stay suspended.”
The risk actor says they tried to extort Marriott, pondering the S3 buckets belonged to them, and left ransom notes requesting cost in cryptocurrency to not leak the information. Nevertheless, no communication was made, they usually mentioned they misplaced entry in September after credentials have been rotated.
Whereas Marriott instructed BleepingComputer that there aren’t any indications that delicate data was stolen within the breach, samples of the stolen information shared with BleepingComputer and Have I Been Pwned’s Troy Hunt comprise lodge company’ private data.
The small samples seen by BleepingComputer embrace a broad vary of information, together with lodge visitor reservations, transactions, worker emails, and different inner information.
A few of the private data uncovered consists of lodge company’ names, addresses, cellphone numbers, and e mail addresses.
The stolen information additionally consists of data and e mail addresses associated to Hyatt, Hilton, and Wyndham. BleepingComputer contacted Hyatt and Hilton in regards to the breach however didn’t obtain a response.
Troy Hunt instructed BleepingComputer that he acquired an intensive set of information, with the reservations desk containing 39 million rows and a customers desk with 212 million.
Hunt says that regardless of the big set, he discovered 1.3 million distinctive e mail addresses, as many are repeated.
The uncovered private data is being added to Have I Been Pwned, permitting anybody to examine if their e mail handle is within the uncovered information.
The excellent news is that passwords and billing data don’t seem to have been stolen within the assault, however risk actors might nonetheless use this data in focused phishing assaults.
Subsequently, try to be looking out for suspicious emails impersonating lodge manufacturers impacted by this breach.