MexiTravels (reservations.mexitravels.com)
Analysis of the MexiTravels data leak exposing approximately 1.98 million travel reservation records. SQL database dump published on dark web forums.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
MexiTravels (reservations.mexitravels.com)
Mexican travel reservations platform providing accommodation and travel booking services.
Sector
Travel / Hospitality
Region
Mexico
Date of Incident
Prior to March 3, 2026 (exact date unknown)
Date Disclosed
March 3, 2026
Estimated Impact
Approximately 1.98 million records
Data Types Exposed
Personal information associated with travel reservations (exact fields not confirmed by operator)
Attack Type
Data Leak
Attack Vector
SQL database dump (suspected web application vulnerability)
Threat Actor
Not publicly attributed
Current Status
No public statement issued by MexiTravels. Data published in SQL format on cybercrime forums.
Severity Assessment
Moderate. Approximately 1.98 million travel reservation records leaked in SQL format. Limited verified details due to lack of operator response.
What Happened
On or around March 3, 2026, a threat actor reportedly published a dataset linked to the Mexican travel reservations platform reservations.mexitravels.com. According to breach monitoring services including HackNotice and Bitsight, over 1.98 million records were leaked in SQL format.
The data is said to contain personal information associated with travel reservations. The exact fields have not been confirmed by the platform operator, and at the time of writing, MexiTravels does not appear to have issued a public statement regarding the incident.
Details about the attack vector, the identity of the threat actor, and the timeline of the intrusion remain limited. The leak was flagged through automated breach monitoring services that track data appearing on dark web forums and cybercrime communities.
Timeline
March 3, 2026
Dataset published on cybercrime forum in SQL format
March 2026
Breach monitoring services flag the leak
Impact and Risk Assessment
For Affected Individuals
Approximately 1.98 million individuals with travel reservations may have had personal and travel data exposed.
Travel reservation data can reveal travel patterns, dates, and destinations, enabling targeted social engineering.
For Organisations
Hotels and travel partners of MexiTravels may face reputational impact and increased phishing targeting their shared customer base.
Regulatory Context
Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) applies. The lack of public acknowledgement may draw regulatory attention.
What Should You Do?
If You Are a Potentially Affected Individual
If you have made reservations through MexiTravels, be alert to phishing emails or messages that reference your travel plans.
Monitor financial accounts used for travel bookings for unauthorised transactions.
If You Are a Security or Risk Professional
If your organisation relies on third-party booking platforms, understand what personal data those platforms hold on your behalf and whether they have a documented incident response plan.
The SQL dump format suggests potential web application vulnerabilities. Ensure your own platforms use parameterised queries and regular vulnerability assessments.
Learnings and Recommendations
While verified details on this incident are limited, the nature of the leak raises familiar concerns about web application security, particularly for platforms that store customer reservation data including names, contact details, and potentially payment-related information.
Travel and hospitality platforms are attractive targets because they tend to hold a combination of personal, financial, and travel-related data. For smaller or regional platforms that may not have dedicated security teams, the basics matter most: ensuring databases are not directly exposed to the internet, keeping software and frameworks patched, enforcing parameterised queries to prevent SQL injection, and conducting regular vulnerability assessments.
If your organisation relies on third-party booking platforms, it is worth understanding what personal data those platforms hold on your behalf and whether they have a documented incident response plan.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.