Data Breach Travel / Hospitality · Mexico · March 2026

MexiTravels (reservations.mexitravels.com)

Analysis of the MexiTravels data leak exposing approximately 1.98 million travel reservation records. SQL database dump published on dark web forums.

Records Affected

Approximately 1.98 million records

Attack Type

Data Breach

Location

Mexico

Data types exposed

Personal information associated with travel reservations (exact fields not confirmed by operator)

What Happened

On or around March 3, 2026, a threat actor reportedly published a dataset linked to the Mexican travel reservations platform reservations.mexitravels.com. According to breach monitoring services including HackNotice and Bitsight, over 1.98 million records were leaked in SQL format.
The data is said to contain personal information associated with travel reservations. The exact fields have not been confirmed by the platform operator, and at the time of writing, MexiTravels does not appear to have issued a public statement regarding the incident.
Details about the attack vector, the identity of the threat actor, and the timeline of the intrusion remain limited. The leak was flagged through automated breach monitoring services that track data appearing on dark web forums and cybercrime communities.

Timeline

  • March 3, 2026 — Dataset published on cybercrime forum in SQL format
  • March 2026 — Breach monitoring services flag the leak

Impact and Risk Assessment

For Individuals

Approximately 1.98 million individuals with travel reservations may have had personal and travel data exposed.
Travel reservation data can reveal travel patterns, dates, and destinations, enabling targeted social engineering.

For Organisations

Hotels and travel partners of MexiTravels may face reputational impact and increased phishing targeting their shared customer base.

Regulatory Context

Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) applies. The lack of public acknowledgement may draw regulatory attention.

What Should You Do?

For Individuals

  • If you have made reservations through MexiTravels, be alert to phishing emails or messages that reference your travel plans.
  • Monitor financial accounts used for travel bookings for unauthorised transactions.

For Security Professionals

  • If your organisation relies on third-party booking platforms, understand what personal data those platforms hold on your behalf and whether they have a documented incident response plan.
  • The SQL dump format suggests potential web application vulnerabilities. Ensure your own platforms use parameterised queries and regular vulnerability assessments.

Learnings and Recommendations

While verified details on this incident are limited, the nature of the leak raises familiar concerns about web application security, particularly for platforms that store customer reservation data including names, contact details, and potentially payment-related information.
Travel and hospitality platforms are attractive targets because they tend to hold a combination of personal, financial, and travel-related data. For smaller or regional platforms that may not have dedicated security teams, the basics matter most: ensuring databases are not directly exposed to the internet, keeping software and frameworks patched, enforcing parameterised queries to prevent SQL injection, and conducting regular vulnerability assessments.
If your organisation relies on third-party booking platforms, it is worth understanding what personal data those platforms hold on your behalf and whether they have a documented incident response plan.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories