Resort administration platform Otelier suffered an information breach after menace actors breached its Amazon S3 cloud storage to steal tens of millions of friends’ private info and reservations for well-known lodge manufacturers like Marriott, Hilton, and Hyatt.
The breach first allegedly occurred in July 2024, with continued entry by way of October, with the menace actors claiming to have stolen amost eight terabytes of information from Otelier’s Amazon AWS S3 buckets.Â
In an announcement to BleepingComputer, Otelier confirmed the compromise and mentioned it’s speaking with impacted prospects.
“Our top priority is to safeguard our customers while enhancing the security of our systems to prevent future issues,” Otelier informed BleepingComputer.
“Otelier has been in communications with its customers whose information was potentially involved. In response to this incident, we hired a team of leading cybersecurity experts to perform a comprehensive forensic analysis and validate our systems.”
“The investigation determined that the unauthorized access was terminated. In order to help prevent a similar incident from occurring in the future, Otelier disabled the involved accounts and continues to work to enhance its cybersecurity protocols.”
Otelier, beforehand generally known as MyDigitalOffice, is a cloud-based lodge administration resolution utilized by over 10,000 resorts worldwide to handle reservations, transactions, nightly studies, and invoicing.
The corporate is or has been utilized by many well-known lodge manufacturers, together with Marriott, Hilton, and Hyatt, whose knowledge is current within the stolen info.
Breached by way of stolen credentials
The menace actors behind the Otelier breach informed BleepingComputer that they initially hacked the corporate’s Atlassian server utilizing an worker’s login. These credentials had been stolen by way of information-stealing malware, which has turn out to be the bane of company networks over the previous few years.
When BleepingComputer requested Otelier to verify this info, an organization consultant mentioned they may not share any additional feedback on the incident. Nonetheless, BleepingComputer discovered on the Flare menace intelligence platform Otelier worker info that had been stolen by infostealer malware.
The menace actors say they used these credentials to scrape tickets and different knowledge, which contained additional credentials to the corporate’s S3 buckets.
Utilizing this entry, the hackers claimed to have downloaded 7.8 TB of information from the corporate’s Amazon S3, together with tens of millions of paperwork belonging to Marriott that had been in S3 buckets managed by Otelier. These paperwork embody nightly lodge studies, shift audits, and accounting knowledge.
Marriott has confirmed to BleepingComputer that Otelier’s cyberattack has impacted them and suspended automated providers whereas Otelier completes its investigation. The corporate stresses that none of its methods had been breached on this assault.
“Once we were made aware of this incident involving Otelier, we immediately contacted the vendor, which works with numerous hotel companies, and confirmed that they were working with cyber security experts to investigate a security incident that impacted their systems,” a Marriott spokesperson informed BleepingComputer.
“Marriott has also taken appropriate precautions, including suspending the automated services provided by Otelier until the completion of their investigation, and those services remain suspended.”
The menace actors say they tried to extort Marriott, pondering the S3 buckets belonged to them, by leaving ransom notes requesting fee in cryptocurrency to not leak the information. Nonetheless, no communication was made, they usually mentioned they misplaced entry in September after credentials had been rotated.
Whereas Marriott informed BleepingComputer that there are not any indications that delicate info was stolen within the breach, samples of the stolen knowledge shared with BleepingComputer and Have I Been Pwned’s Troy Hunt paint a distinct image.
The small samples seen by BleepingComputer embody a broad vary of information, together with lodge visitor reservations, transactions, worker emails, and different inner knowledge.
Some private info uncovered consists of lodge friends’ names, addresses, cellphone numbers, and e mail addresses.
The stolen knowledge additionally consists of Hyatt, Hilton, and Wyndham info and emails. BleepingComputer contacted Hyatt and Hilton in regards to the breach however didn’t obtain a response.
Hunt tells BleepingComputer that the information he acquired is way extra intensive, with the reservations desk containing 39 million rows and a customers desk containing 212 million.
Of this knowledge, Hunt says there are 1.3 million distinctive e mail addresses, as many are repeated.
The uncovered private info is being added to Have I Been Pwned, permitting anybody to examine if their e mail deal with is within the uncovered knowledge.
The excellent news is that passwords and billing info don’t seem to have been stolen within the assault, however menace actors might nonetheless use this info in focused phishing assaults.
Subsequently, you have to be looking out for suspicious emails impersonating lodge manufacturers impacted by this breach.
