Agoda denies breach, as 82M records allegedly hit hacker forum
The data allegedly belonging to Agoda has hit underground hacker forums, with 82 million records for sale. Agoda dismisses the claims, stating that the data does not belong to the company.
A threat actor is claiming responsibility for a breach at Agoda, an Asia-focused booking platform, on a well-known hacker forum. According to the listing, 82 million records were allegedly exfiltrated.
The claims come just one week after parent company Booking Holdings confirmed a separate data breach at its flagship brand, Booking.com, which rippled across the globe, leading to an increase in phishing attacks.
Agoda dismissed the claims when contacted by journalists. "There is no truth to this. We have validated the information, and none of it is Agoda data," Agoda's spokesperson said in an emailed statement.
What Agoda data has been allegedly breached?
The Cybernews research team has examined the available samples and identified that they contain personal data from guests, predominantly linked to Malaysian users. Among the exposed data are:
- Full names
- Malaysian identity card (IC) numbers
- Email addresses
- Phone numbers
- Addresses of the hotels
"The data looks legit. The data sample format and content match the threat actor's claims," the Cybernews research team confirmed following their analysis.
However, our researchers were unable to verify the 82 million figure, as the posted sample contains only 23 records.
The sample data contains no dates of stay, which is a standard field in virtually any booking record. Cybernews researchers flagged this as unusual, noting that most booking records usually contain such data.
A billion-dollar parent company breached last week
Agoda is a wholly owned subsidiary of Booking Holdings, the $160 billion travel conglomerate that also operates Booking.com, Priceline, Kayak, and OpenTable. The claims of alleged breach come just a week after Booking.com suffered a cyber incident.
On April 13th, Booking.com confirmed that unauthorized parties had gained access to customer data, including names, email addresses, phone numbers, and reservation details.
The reported breach that has already spawned a wave of "reservation hijacking" scams across Europe, the UK, and North America.
Agoda dismisses the claims
Cybernews has reached out to Agoda for a comment, and the company dismissed the claims on a hacker forum.
Agoda stated it has conducted a "thorough review" and found "no evidence" that any confidential user data was accessed. "The data purported to be “from Agoda” does not match our records, and several of the fields referenced are not data we collect," the company stated.
"We maintain robust security measures to continuously monitor and protect our systems, and safeguarding our customers’ information remains a top priority."
ID card numbers could be exploited
Malaysia has previously suffered a string of massive data breaches, increasing citizens' risk of attacks.
In 2017, a leak at a mobile provider affected the entire population, exposing the personal details of 46 million mobile subscribers. In 2024, 17 million MyKad records, the Malaysian national identity card, were reportedly sold on underground forums.
Each new leak allows attackers to cross-reference the data, enriching existing profiles and making successive attacks on individuals more precise.
Exposing Malaysian IC numbers is particularly dangerous in the hands of threat actors, as it functions as a permanent key to an individual's identity. Unlike passwords or even credit cards, a national identity number cannot be changed.
Updated on April 22th [10:50 a.m. GMT+2] with a statement from Agoda
Unlock more exclusive Cybernews content on YouTube.
