An unidentified threat actor is claiming to have breached Luxury Escapes (LuxuryEscapes.com), an Australian-based online luxury travel company. The actor alleges the breach was accomplished via an SQL injection (SQLi) vulnerability and is now selling the full database dump, which reportedly contains 86 tables.
According to the actor, the compromised data being sold includes information on over 62,000 “elite users.” The allegedly stolen data includes:
- Partial credit card details (last 4 digits, expiry)
- Credit card fraud scores
- Full user trip history
- IP addresses and device information
- Loyalty points
- GDPR and CCPA consent logs
- Encrypted passport information (the actor is offering to sell decrypted passports for an additional fee)
