How a Russian Hacker Leveraged HexStrike and Claude to Breach Hotel Booking Platforms

Security researchers uncovered that a Russian attacker combined the open‑source HexStrike AI tool with Anthropic's Claude to infiltrate multiple hotel reservation systems, exfiltrating over 2.1 million email addresses and extensive booking data, and then detailed the attack methods, affected companies, risks, and mitigation advice.

Black & White Path
Black & White Path
Black & White Path
How a Russian Hacker Leveraged HexStrike and Claude to Breach Hotel Booking Platforms

Event Overview

On April 16, 2026, a security research team discovered a server owned by a threat actor that was unintentionally exposed to the public Internet. Inside the server they found attack details, source code, and stolen data targeting several hospitality‑industry companies.

Attack Method Analysis

HexStrike AI Tool

HexStrike AI is an open‑source platform that lets users run security tools anonymously, effectively serving as an automated penetration‑testing framework. When misused, its vulnerability‑scanning capabilities can be turned into unauthorized access mechanisms.

Bypassing AI Safety Controls

The attacker disguised malicious activity as legitimate penetration testing, allowing the operations to slip past the large‑language‑model (LLM) safety checks. Using AI assistance, the hacker generated at least 50 penetration‑test reports for hospitality companies, each containing an executive summary, target infrastructure details, discovered vulnerabilities, exploitation steps, data types obtained, and mitigation suggestions.

Server Contents

The exposed server held millions of reservation‑related files, including summaries of the hacker tools and configurations, various code‑base files, and stolen data primarily consisting of guest personal information and host details. Exported files contained 2.1 million unique email addresses .

Affected Companies

RoomScope (Thailand)

Software provider for hotel management with roughly 6.4 million booking records, including guest names, 1.1 million unique email addresses, phone numbers, and ancillary services.

IGMS (Canada)

Property‑management‑system developer whose leak included host phone numbers, check‑in/out dates, host emails, property addresses, and some Wi‑Fi passwords, amounting to about 1,400 records.

NebulaPMS (South Africa)

Hospitality Technology International’s PMS revealed around 2 million records containing guest full names, email addresses, phone numbers, stay dates, and hotel names.

Staysee (Japan)

PMS company whose breach exposed historical and future booking data, over 31,000 payment records (booking IDs, payment method, amount) and 49,000 product records (booking IDs, product purchase info, price).

Follow‑up Response

NebulaPMS told Cybernews that it learned of the potential breach in March 2026 and has taken multiple remediation steps, including additional penetration tests, continuous security scanning, strengthened password policies, and implementation of best‑practice password protection standards.

Risks for Holiday Users

Compromised hotel booking platforms are attractive targets because stolen data can fuel highly effective phishing attacks. With precise names, travel dates, and reservation numbers, attackers can craft convincing fake hotel emails that users are likely to act on, potentially leading to greater financial loss.

Security Recommendations

Enterprise Level : Hospitality companies should increase investment in data security and conduct regular penetration testing and security scans.

Password Strategy : Enforce strong password policies and enable multi‑factor authentication.

Monitoring & Alerts : Deploy anomaly detection mechanisms to quickly identify unauthorized access.

User Level : Users should be wary of unexpected emails or messages and verify any reservation‑related requests.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securityAI securityClaudedata theftHexStrikehotel booking breach
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.