breach - TrustStrike Labs

breach

2026-05-14

BWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands

BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.

bwh-hotels best-western hospitality breach web-application six-month-dwell-time phishing-risk

Check: Search corporate travel and expense systems for stays at BWH-branded properties between October 2025 and April 2026, and warn frequent business travelers to treat any unexpected reservation emails as suspect.
Affected: BWH Hotels guests with reservations in the affected web application between October 14, 2025, and April 22, 2026. Brands include Best Western, Best Western Hotels and Resorts, WorldHotels, SureStay, and Sure Hotels.
Fix: Treat any unexpected emails or texts referencing past BWH stays as untrusted, even if the details match. Visit the booking property's verified website directly instead of clicking links, and rotate any reused passwords.

breach

2026-05-14

Telehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed

OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.

openloop-health telehealth healthcare breach stuckin2019 hhs-ocr white-label supply-chain

Check: Search HR and benefits records for employee enrollments in telehealth programs (weight loss, men's health, hormone therapy) that may run on OpenLoop's backend, and review supplier security questionnaires for any telehealth vendor.
Affected: Patients of any consumer telehealth platform that uses OpenLoop Health as its clinical infrastructure provider. 716,000 individuals confirmed via HHS OCR; threat actor Stuckin2019 claimed 1.6 million.
Fix: Affected individuals should enroll in the free IDX credit and identity monitoring OpenLoop is offering, and watch for medical-themed phishing for at least 12 months. Treat unexpected appointment reminders or prescription notices as suspect until verified.

breach

2026-04-19

Vercel confirms breach - attackers got in through Context.ai AI tool's Google Workspace OAuth, stole customer environment variables

Cloud development platform Vercel disclosed a security incident on April 19 after a threat actor claiming to be ShinyHunters posted stolen data for sale on a hacking forum. Vercel CEO Guillermo Rauch confirmed the initial access came through a breach at Context.ai, an enterprise AI platform one Vercel employee had signed up for using their Vercel enterprise account with 'Allow All' OAuth permissions. Attackers compromised Context.ai, stole the OAuth token, took over the employee's Google Workspace account, and pivoted into Vercel environments. Once inside, they accessed environment variables not marked as 'sensitive' - these are stored unencrypted at rest, unlike sensitive env vars which Vercel encrypts. The attacker posted 580 employee records (names, emails, account status, activity timestamps) as a teaser, plus screenshots of an internal Vercel Enterprise dashboard. They claim to also have access keys, source code, database data, and API keys, though Vercel characterizes impact as a 'limited subset' of customers. Mandiant is engaged. This is the cleanest real-world example to date of the AI supply chain risk pattern everyone has been warning about: a third-party AI tool with broad OAuth scopes becomes the initial access vector into your primary infrastructure.

vercel context-ai shinyhunters oauth google-workspace supply-chain ai-supply-chain breach

Check: If you deploy apps on Vercel, rotate all environment variables immediately - especially any not marked 'sensitive'. Also audit every third-party AI/SaaS tool that has OAuth access to your Google Workspace or similar identity provider.
Affected: Any Vercel customer with environment variables not marked 'sensitive'. Vercel has directly contacted a 'limited subset' of customers whose credentials were compromised. If you weren't contacted, Vercel says it has no evidence of your data being accessed at this time. Separately: any organization using Context.ai with Google Workspace OAuth granted 'Allow All' permissions.
Fix: Rotate every Vercel environment variable and redeploy applications to pick up the new values. Mark any secret as 'sensitive' in Vercel's dashboard going forward - this encrypts at rest. In Google Workspace Admin, search for and revoke OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Review Google Workspace audit logs between April 1-19 for unusual OAuth grants or token access. Audit every third-party tool connected to your Google Workspace - specifically those granted broad OAuth scopes - and remove any your team isn't actively using.