Resort administration platform Otelier suffered a knowledge breach after menace actors breached its Amazon S3 cloud storage to steal tens of millions of friends’ private data and reservations for well-known lodge manufacturers like Marriott, Hilton, and Hyatt.
The breach first allegedly occurred in July 2024, with continued entry by October, with the menace actors claiming to have stolen 7 TB of information from Otelier’s Amazon AWS S3 buckets.
In an announcement to BleepingComputer, Otelier confirmed it suffered a breach and mentioned it’s in communication with impacted clients.
“Our prime precedence is to safeguard our clients whereas enhancing the safety of our techniques to stop future points,” Otelier informed BleepingComputer.
“Otelier has been in communications with its clients whose data was probably concerned. In response to this incident, we employed a crew of main cybersecurity specialists to carry out a complete forensic evaluation and validate our techniques.”
“The investigation decided that the unauthorized entry was terminated. To be able to assist forestall an identical incident from occurring sooner or later, Otelier disabled the concerned accounts and continues to work to boost its cybersecurity protocols.”
Otelier, beforehand referred to as MyDigitalOffice, is a cloud-based lodge administration resolution utilized by over 10,000 lodges worldwide to handle reservations, transactions, nightly studies, and invoicing.
The corporate is or has been utilized by many well-known lodge manufacturers, together with Marriott, Hilton, and Hyatt, whose information is current within the stolen data.
Breached by stolen credentials
The menace actors behind the Otelier breach informed BleepingComputer that they initially breached the corporate’s Atlassian server utilizing an worker’s credentials. These credentials had been stolen by information-stealing malware, which has turn into the bane of company networks over the previous few years.
When BleepingComputer requested Otelier to substantiate if this was how they had been breached they mentioned they might share any additional feedback on the incident. Nonetheless, BleepingComputer discovered Otelier workers on the Flare menace intelligence platform who had been beforehand contaminated by infostealers.
The menace actors say they used these credentials to scrape tickets and different information, which contained additional credentials to the corporate’s S3 buckets.
Utilizing this entry, the hackers claimed to have downloaded 7.8 TB of information from the corporate’s Amazon S3, together with tens of millions of paperwork belonging to Marriott that had been in S3 buckets managed by Otelier. These paperwork embrace nightly lodge studies, shift audits, and accounting information.
Marriott has confirmed to BleepingComputer that Otelier’s cyberattack has impacted them and suspended automated providers whereas Otelier completes its investigation. The corporate stresses that none of its techniques had been breached on this assault.
“As soon as we had been made conscious of this incident involving Otelier, we instantly contacted the seller, which works with quite a few lodge corporations, and confirmed that they had been working with cyber safety specialists to analyze a safety incident that impacted their techniques,” a Marriott spokesperson informed BleepingComputer.
“Marriott has additionally taken applicable precautions, together with suspending the automated providers offered by Otelier till the completion of their investigation, and people providers stay suspended.”
The menace actors say they tried to extort Marriott, pondering the S3 buckets belonged to them, by leaving ransom notes requesting fee in cryptocurrency to not leak the information. Nonetheless, no communication was made, and so they mentioned they misplaced entry in September after credentials had been rotated.
Whereas Marriott informed BleepingComputer that there are not any indications that delicate data was stolen within the breach, samples of the stolen information shared with BleepingComputer and Have I Been Pwned’s Troy Hunt paint a unique image.
The small samples seen by BleepingComputer embrace a broad vary of information, together with lodge visitor reservations, transactions, worker emails, and different inside information.
Some private data uncovered contains lodge friends’ names, addresses, cellphone numbers, and e mail addresses.
The stolen information additionally contains Hyatt, Hilton, and Wyndham data and emails. BleepingComputer contacted Hyatt and Hilton concerning the breach however didn’t obtain a response.
Hunt tells BleepingComputer that the information he obtained is way extra intensive, with the reservations desk containing 39 million rows and a customers desk containing 212 million.
Of this information, Hunt says there are 1.3 million distinctive e mail addresses, as many are repeated.
The uncovered private data is being added to Have I Been Pwned, permitting anybody to test if their e mail tackle is within the uncovered information.
The excellent news is that passwords and billing data don’t seem to have been stolen within the assault, however menace actors may nonetheless use this data in focused phishing assaults.
Due to this fact, you ought to be looking out for suspicious emails impersonating lodge manufacturers impacted by this breach.