Luxury Escapes Data Breach Exposes User and Payment Data

The Luxury Escapes data breach was reported on November 7, 2025, after a threat actor claimed to have compromised the Australian-based online travel company LuxuryEscapes.com. The attacker alleges that the incident resulted from an SQL injection (SQLi) vulnerability and is now selling the complete database dump containing 86 tables of sensitive data.

According to the post shared on a dark web marketplace, the stolen data includes more than 62,000 “elite user” profiles with personally identifiable information, payment-related details, and travel history. The attacker provided technical schema samples and a price list for the data, with encrypted passports offered for an additional fee.

Overview of the Luxury Escapes Breach

Luxury Escapes is one of Australia’s leading luxury travel retailers, offering high-end vacation packages and exclusive deals. The company manages customer booking systems, loyalty programs, and financial processing data. The breach, if verified, could expose critical user information stored across multiple shards of the company’s databases.

The hacker claims that four database shards were dumped, affecting tables such as:

• users, user_profiles, and user_addresses
• encrypted_credit_cards
• booking_passports and encrypted_passports
• ml_fraud_predictions (credit card fraud scoring)
• gdpr_consents and ccpa_optouts
• loyalty_points and promo_usage

Data Allegedly Included in the Breach

• 62,000+ elite user accounts
• Partial credit card numbers (last 4 digits and expiry date)
• Credit card fraud scores and machine learning predictions
• Full user trip history and booking metadata
• Device and IP address information
• Loyalty and promotional reward records
• GDPR and CCPA consent logs
• Encrypted passport data, offered decrypted for $2,500

The hacker lists the full database dump (86 tables) for sale at $1,800 and states that decrypted passport data can be purchased separately. The listing indicates that the seller is using escrow and only accepts “serious buyers.”

Technical Details of the Attack

The threat actor describes the attack as an “Enterprise SQLi breach.” SQL injection is a web vulnerability that allows an attacker to manipulate backend queries, extract sensitive data, and bypass authentication. The post includes structured snippets from the stolen schema, showing binary fields for passport encryption, fraud prediction tables, and feature vectors from machine learning models.

This suggests the compromise affected not only customer data but also the company’s internal fraud detection and analytics systems, which may contain proprietary algorithms and risk analysis tools.

Potential Impact and Risks

The Luxury Escapes data breach could have significant consequences for affected users and the company itself. If the data is legitimate, the exposure of partial card information and encrypted passports represents a major privacy and security risk.

• Identity Theft: Passport data, even encrypted, can be valuable to threat actors seeking to clone or sell digital identities.
• Payment Fraud: Card fragments and fraud score metadata can be used to construct phishing attacks or targeted scams.
• Targeted Phishing: Detailed trip history and user IPs enable convincing social engineering campaigns.
• Corporate Risk: The leak of machine learning fraud models could weaken Luxury Escapes’ fraud prevention systems.

Response and Verification

As of now, Luxury Escapes has not released any official statement confirming or denying the breach. The data has not yet been leaked publicly, suggesting that the actor may still be attempting to sell it privately. Multiple threat intelligence feeds have flagged the listing as “pending verification.”

Cybersecurity analysts are investigating the authenticity of the sample schema and whether the credentials or encryption keys in the dataset are valid.

What Customers Should Do

If you have booked or purchased through Luxury Escapes, take precautionary steps to protect your information:

• Monitor your bank and credit card accounts for unauthorized activity.
• Change your Luxury Escapes password and avoid reusing it elsewhere.
• Be cautious of emails or texts referencing travel bookings, refunds, or loyalty rewards.
• Use credit monitoring or fraud detection tools to detect suspicious activity.
• Run a full system scan using Malwarebytes to identify potential threats on your devices.

Recommendations for Businesses

Organizations that handle customer data should take this incident as a reminder to:

• Conduct penetration testing to identify SQL injection vulnerabilities.
• Implement web application firewalls and parameterized queries.
• Encrypt sensitive data both in transit and at rest.
• Limit database access through strict user permissions.
• Monitor for unusual query behavior or exfiltration patterns.

The Luxury Escapes data breach highlights how a single web vulnerability can compromise sensitive customer and financial data on a large scale. While the data has not been leaked publicly, it underscores the ongoing threat posed by SQL injection attacks against high-profile e-commerce and travel platforms.

For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for continuous updates and expert analysis on global cyber incidents.