Customers of a South African hospitality company may have been compromised, and could become phishing victims.
Cybernews researchers have uncovered an exposed server belonging to a threat actor containing documentation of attacks against accommodation-sector companies, source code, hacking tool configurations and stolen booking data.
“Claude configuration files contained the threat actor’s personal email, which helped uncover the attacker’s identity,” the Cybernews research team explains.
Key findings from the researchers include:
- Researchers found at least 50 penetration test reports targeting accommodation companies.
- Researchers say the hacker bypassed LLM guardrails by disguising malicious intent as penetration testing.
- The attacker used HexStrike AI, an open-source tool that integrates large language models (LLMs), together with Anthropic’s Claude.
- The exposed server contained stolen booking-related data, including guests’ personally identifiable information (PII) such as names, emails and phone numbers.
- Researchers observed 2,1-million unique email addresses in exported files, which most likely correlated to the number of exposed individuals.
- The attacker took the server out of public view during the investigation, but the Cybernews team managed to identify at least four affected companies, including a South African one.
One of the victimised companies is NebulaPMS, a property management system developed by South African company Hospitality Technology International. The team found 2-million records containing guests’ full names, email addresses, phone numbers, check-in and check-out dates and hotel names.
The researchers warn that stolen reservation data can be used in highly convincing phishing campaigns, especially when attackers know guests’ names, travel dates, and reservation details.