What Happened
In 2022, EscapadaRural, a Spanish short-term rural rental platform owned by HomeToGo, exposed a database containing personal information of approximately 2.9 million customers—including names, email addresses, genders, dates of birth, and phone numbers—via an unsecured, publicly accessible Amazon Web Services cloud storage bucket with the latest entries dated November 7, 2022. The exposure was discovered by Cybernews researchers on January 8, 2023, but a hacker using the alias ‘louhunter’ had already accessed and posted the dataset (exported as a CSV file) on BreachForums by July 2023, with the leak remaining undetected and unsecured for over six months, heightening risks of phishing, scams, doxxing, and fraud. A separate report noted a hacker ‘zxcv16’ posting 136 MB of similar customer data (names, emails, phones) on the Nulled dark web forum on May 24, 2023, though the initial access method remains unclear; the company sealed the bucket after disclosure but did not respond to inquiries, potentially facing GDPR fines for failing to encrypt or monitor the data.
