The breach impacted Huazhu Hotels Group Ltd, which operates 13 hotel brands including Hanting Inns and Hotels, Hi Inn and Starway Hotel. The company manages 5,162 hotels in 1,119 Chinese cities.
The seller peddling the stolen data on a Chinese-language online forum said the data set contains private information about 130 million guests who stayed in all of the brand's hotels.
It apparently includes all information a customer might have entered to register for the hotel-chain website, including password, phone number, email address, and Chinese ID card number; to check into a hotel, including mailing addresses and birthdays; and booking information including check-in time, departure time and room number.
The seller wants 8 bitcoin (around $57,000) for the entire data set.
Yesterday (Aug. 29), the hotel chain published a statement on the Weibo Chinese-language social network acknowledging the breach. The company said it has hired tech companies to purge the data from online markets. It also urges the data-sellers to stop spreading the information, and states that it may pursue legal action against the perpetrators.
Security researchers believe the breach happened earlier this month. They've attributed it to Huazhu having uploaded copies of its database to a GitHub account.
If you were impacted, it's important to change all of your passwords that are the same as the one you used on the Huazhu website, and that you enable two-factor authentication wherever possible. For more information, check out our guide on what to do after a data breach.