Defensive CTI Investigation

From Public Code
to Presidential Suites

How a single GitHub search uncovered hardcoded credentials that could access live guest data at hotel properties that have hosted G20 summits, heads of state, and world leaders.

191
Data Fields
Per Guest
189
Stolen Creds
on Dark Web
4+
Hotel Brands
at Risk
10
Months
Exposed
Scroll to read the story ↓

Why This Matters Beyond Cybersecurity

The hotel Property Management System (PMS) at the center of this investigation is used by some of the world's largest hotel chains — brands that have hosted G20 summits, bilateral state meetings, and accommodated heads of state, diplomats, and intelligence officials.

G20 Summit Venues Head-of-State Accommodations Diplomatic Delegations International Conferences Global Hotel Chains

A breach of this system doesn't just expose tourist data — it could reveal travel patterns, room assignments, companion details, and security arrangements of some of the most protected people on the planet.

Scene 1

The Mistake

A contractor accidentally uploads passwords to the public internet
👨‍💻 CONTRACTOR Developer git push github.com / contractor / hotel-integration PUBLIC server.js 10 const fetchToken = "MzRjYzc2ZTkt..." 3 const api_key = "sk-XXXX-SECRET" ⚠ Production credentials in code! visible to 🌐 EVERYONE on the internet Hardcoded credentials were pushed to a public GitHub repository — indexed and searchable by anyone.
What happened: A software contractor building a hotel CRM integration uploaded their code to GitHub — a public code-sharing platform. Buried inside the source code were real production API credentials encoded as Base64 strings. The repository was public, indexed by search engines, and visible to anyone on the internet for over 10 months.
Scene 2

The Discovery

Routine brand monitoring surfaces the exposed credentials
🕵️ INVESTIGATOR ash25F/Wifi-PMS Line 10: fetchToken = "MzRjYz..." ↑ Base64 = API credential! ash25F/freshapp Line 57: second token found Lines 2-3: CRM domain + API key ⚠ CRITICAL FINDING Production DataStream credentials exposed in public repositories Severity: CRITICAL Exposed since: May 2025 (~10 months) GitHub code search revealed two public repositories belonging to a contractor with live production credentials.
How it was found: During routine brand monitoring, the investigator searched public code repositories for any references to the hotel company's API domains. Two repositories were discovered containing hardcoded production credentials — Base64-encoded strings that decoded to UUID-pair authentication tokens with full API access.
Scene 3

What the Key Unlocks

A single credential exposes live guest reservations in real-time
🔑 Exposed Credential 🔓 DataStream API LIVE GUEST DATA 👤 Full names & contacts 📱 Phone numbers & emails 💳 Payment card details 🏨 Room numbers, rates, dates 👨‍💼 Staff names & booking agents 191 FIELDS Each reservation event contains 191 data fields including PII, financial data, and operational details.
👤
Guest Names
📱
Phone Numbers
📧
Email Addresses
💳
Payment Cards
🛏️
Room Details
💰
Rates & Billing
🏢
Company Info
👨‍💼
Staff Names
The risk: Anyone with this credential could silently read every new hotel booking in real-time — including guest names, phone numbers, emails, partial credit card numbers, room assignments, and staff identities. For properties hosting dignitaries, this means travel itineraries, room locations, and security arrangements could be compromised.
Scene 3b — Evidence

The Intercepted Data: Actual Guest Record

A real reservation record retrieved from the live DataStream — PII redacted for this publication
LIVE DATA
Intercepted DataStream record (PII redacted)
Actual API response — guest PII fields marked REDACTED for publication
What this screenshot shows:
👤 Guest Identity
Full name, phone number, email address, unique guest ID — plus a second guest (companion) with their own contact details.
🏨 Reservation Details
Room 702 — COZY DOUBLE, check-in/out dates, booking source (walk-in), reservation number, and booking agent.
💳 Financial Data
Nightly rate (₹6,799.20), taxes (SGST/CGST), payment method (CASH + VISA), partial card number (XXXX 7066), staff who processed payment.
👨‍💼 Operational Intelligence
Staff usernames, housekeeping schedule, cancellation policy, guarantee type, folio balance, business event timestamps.
⚠️ This is ONE record out of a continuous stream
The DataStream API delivers every new reservation event in real-time. An attacker with this credential could passively monitor all guest check-ins indefinitely.
This is not simulated data. This is an actual guest reservation record returned by the production DataStream API using the credential found in the public GitHub repository. Guest names, phone numbers, emails, and staff identities have been redacted. The room number, rates, dates, and data structure are shown as-is to demonstrate the severity of the exposure.
Scene 4

The Bigger Picture

One contractor's mistake puts an entire hospitality ecosystem at risk
🏢 Hotel Technology Company (PMS) 🏨 Major Intl. Brand G20 Summit Venues 🏨 Budget Chain 6,000+ Properties 🏨 Mid-Tier Brand National Chain 🏨 Global Group Enterprise Hotels 👨‍💻 Contractor (Weak Link) Credentials pushed to GitHub BLAST RADIUS All hotel brands sharing the platform are potentially affected by a single contractor's credential leak.
1
Contractor uploads credentials to public GitHub → anyone on the internet can find them
2
Stolen employee passwords found on dark web markets → hackers already have them
3
Hotel brand client credentials leaked in malware logs → downstream systems at risk
4
Security protections bypassed → direct server IPs discovered, WAF/firewall ineffective
Scene 5

The Dark Web Connection

Malware on hotel computers had already been stealing credentials
🖥️ Infected Hotel PCs 66 machines 🦠 🕸️ Dark Web Markets Credentials sold 💰 😈 Criminal Buyers Ready-made access 🏨 Hotel Systems COMPROMISED Stealer malware had already harvested credentials from hotel staff computers — sold on dark web markets.
189
Leaked Creds
78
Hotel Staff
66
Infected PCs
2
Company Staff
4+
Brands Hit
Already compromised: Even before the GitHub exposure was discovered, malware had infected hotel staff workstations and stolen their passwords. These credentials were found circulating on dark web markets. One infected machine ("TYLER") contained credentials for multiple hotel brands simultaneously — showing a multi-property management station that was fully compromised.
Scene 6

The Geopolitical Dimension

Why hotel PMS security is a matter of national security
WHEN HOTEL DATA BECOMES INTELLIGENCE DATA Regular Guest Booking 👤 Guest: John Smith Room 204, 2 nights Impact of breach: • Identity theft risk • Credit card fraud • Privacy violation Severity: HIGH vs Head-of-State Booking 🏛️ Delegation: [COUNTRY] President + Staff Floor 12 (secured), 4 nights, G20 Summit Exposed in a breach: • Exact room numbers & floor assignments • Travel dates & itinerary patterns • Companion names (security detail, aides) • Booking agent & staff with access • VIP flags & special arrangements Severity: NATIONAL SECURITY THREAT The same 191-field data record structure applies to every guest — tourist or world leader.
The geopolitical risk: Several hotel brands using this PMS have hosted G20 summits, state visits, and international conferences. The reservation data structure doesn't distinguish between a tourist and a head of state — the same 191 fields capture room assignments, companion details, VIP flags, and security arrangements. For a state-sponsored threat actor, this data is actionable intelligence.
Consider the scenario: A hostile intelligence service obtains these credentials. They can now monitor, in real-time, which government officials are checking into which hotels, which rooms they're assigned to, who is accompanying them, and how long they're staying. This isn't hypothetical — the credentials were publicly accessible for 10 months.
Scene 7

The Resolution

Findings responsibly documented and reported for remediation
🛡️ Evidence Package Screenshots + Report Remediation Steps 🏢 Client Company Reviews findings Initiates fixes Remediation Actions ✅ Rotate exposed credentials ✅ Remove public repositories ✅ Add IP restrictions to APIs ✅ Audit contractor access ✅ Enable secret scanning
🔄
Rotate All Credentials Immediately
Change the exposed DataStream API tokens and any related secrets
🗑️
Remove or Privatize GitHub Repositories
Take down the contractor's public repos that contain production secrets
🔒
Add IP Allowlisting to APIs
Restrict DataStream API access to only authorized IP addresses
📋
Audit All Contractor Access
Review what credentials contractors hold and enforce secrets management policies
🔔
Enable GitHub Secret Scanning
Set up automated alerts for any future credential leaks across all of GitHub
Outcome: All findings were documented with forensic-quality evidence — screenshots, timestamps, and chain-of-custody records — and reported to the client through authorized channels. The goal: help them fix these problems before a malicious actor exploits them.
Full Story

The Complete Investigation Flow

🔎
Discover
Brand monitoring finds contractor's public code
🔑
Decode
Base64 string = production API credential
🏨
Exposure
Credential accesses live guest data (191 fields)
🕸️
Dark Web
189 more stolen creds on dark markets
🔗
Chain
4+ hotel brands affected through shared PMS
🛡️
Report
Evidence delivered for remediation
CRITICAL
Severity
May 2025
Exposed Since
191
Fields/Record
4+
Brands at Risk
189
Stolen Creds