Ransomware gang claims breach of Hyatt Hotel Network, alleges theft of internal logins and financial data

A ransomware gang, operating under the name NightSpire, has claimed it breached Hyatt’s global hotel operations and exfiltrated sensitive internal data, including employee login credentials and financial information, from one of the company’s U.S. properties.

The group published a post on the dark web on Jan. 19 asserting that it had stolen 48.5 gigabytes of data from the Hyatt Place Chelsea New York hotel. The attackers claim the data can be obtained for free, a move often associated with failed ransom negotiations and an attempt to maximize reputational damage to the victim.

In the post, NightSpire included data samples and a message offering contact details for downloading the full dataset. Such disclosures are commonly used by ransomware groups to pressure organizations into paying ransoms by demonstrating access to sensitive information and threatening wider exposure.

Security researchers who reviewed the shared samples found what appear to be internal company documents. The materials include screenshots suggesting the possible exposure of employee credentials used to access internal content management systems. If accurate, compromised logins could significantly increase the risk of further intrusion by allowing unauthorized access to internal tools and communications.

The reviewed data also appears to include exposed contact details and email signatures. While such information may seem low risk in isolation, it can be leveraged to conduct targeted social engineering, phishing, and fraud campaigns. In more severe scenarios, valid credentials could enable attackers to establish persistent access within corporate networks and move laterally across systems over an extended period.

Hyatt has been contacted to verify the claims, but no confirmation or response regarding the alleged breach or its scope had been issued at the time of publication.

If substantiated, the incident would not mark the first time data connected to Hyatt personnel has surfaced publicly. Earlier this year, security researchers identified a separate exposure involving a U.S.-focused hiring and onboarding platform that inadvertently made millions of candidate resumes publicly accessible, including data tied to Hyatt Grand properties.

Hyatt Hotels Corporation is a Chicago-based hospitality company that reported approximately $6.9 billion in revenue in 2025. The company operates more than 1,450 hotels and all-inclusive resorts across 80 countries spanning North America, South America, Europe, Asia, Africa, and Australia. Its portfolio includes more than 30 brands across luxury, lifestyle, and mainstream segments, such as Park Hyatt, Grand Hyatt, Hyatt Regency, Andaz, Secrets, and Dreams.

NightSpire is a relatively new entrant in the ransomware ecosystem. The group was first observed in March 2025 and has since listed more than 100 victims on its leak site. Threat intelligence assessments describe NightSpire as a financially motivated operation targeting organizations across multiple industries and regions, with the United States accounting for the largest share of alleged victims.

The gang is known to employ a double-extortion strategy, encrypting victim data while also threatening public release if ransom demands are not met. In March 2025, the group publicly sought ransomware affiliates on underground forums, though it remains unclear whether NightSpire operates a full ransomware-as-a-service model or conducts attacks internally.