Hurb
  • Total Records20,724,395
  • Unique Emails20,829,570
  • Unique Email Providers367,217
  • Unique IP Addresses8,222,568
  • Unique First Names4,770,006
  • Unique Addresses552,336

Hurb Data Breach: March 2019 Exposure Impacts Over 20 Million Travelers

In March 2019, Hurb—formerly known as Hotel Urbano and one of Brazil's largest travel platforms—suffered a data breach compromising over 20 million customer records. The platform, popular for booking hotels, trips, and travel packages, saw an unauthorized party gain access to a massive store of customer information. A wide array of sensitive personal details was exposed, including names, email addresses, dates of birth, phone numbers, full street and mailing addresses, IP addresses, and passwords stored as unsalted MD5 hashes. The breach marked one of the largest data incidents among Latin American travel and hospitality companies and put a spotlight on the importance of robust data protection measures.

What Happened in the Hurb Data Breach?

The breach was discovered in March 2019, when unauthorized actors gained access to Hurb’s customer database. Investigations revealed that attackers retrieved data containing more than 20 million distinct records, with sensitive fields related to customer identity and contact details. This data breach was not publicized immediately, but once reported, it became clear that vast volumes of personal information were at risk.

Scope and Impact: How Many Were Affected?

The Hurb breach impacted exactly 20,724,396 users, making it a major cybersecurity incident. The affected individuals included both past and current customers who made use of the platform’s booking and travel services. Given Hurb’s standing in the Brazilian market, the exposed data represents a significant portion of the country’s travel consumers.

What Data Was Compromised?

Attackers obtained a range of private information for each user. The list of compromised fields includes:

  • First and last names
  • Email addresses
  • Phone numbers and area codes
  • Full street addresses (including street name, number, complement, city, ZIP code)
  • Dates of birth
  • IP addresses
  • Passwords stored as unsalted MD5 hashes
  • Some cases included a social field

The inclusion of both identity details and hashed passwords allowed for potential misuse if the data was further manipulated.

Timeline of Events

The breach was reported to have occurred on or around March 1, 2019. Initial unauthorized access, data extraction, and subsequent internal investigation unfolded within that month. Details started to emerge publicly later as investigators and security researchers confirmed the scope and type of data involved. Since then, the incident has been referenced as a key case in data protection for Latin American tech companies and travel industry platforms.

Frequently Asked Questions About the Hurb Data Breach

What happened in the Hurb data breach?

In March 2019, Hurb's customer database was accessed by unauthorized parties, who extracted sensitive information of over 20 million users including names, emails, addresses, phone numbers, dates of birth, IP addresses, and password hashes.

How many users were affected by the Hurb data breach?

The breach affected 20,724,396 users, exposing their personal information and travel-related data.

What personal information was leaked in the Hurb breach?

The leaked data comprised first and last names, email addresses, full addresses, phone numbers, dates of birth, IP addresses, and passwords represented as unsalted MD5 hashes. In some cases, a social field was also included.

Did the Hurb breach include financial information?

No credit card or direct payment details were reported as part of the breach, but a wide range of personal and login information was exposed.

How can I check if I'm in the Hurb breach?

You can check if your information was part of the Hurb data breach by utilizing the DeHashed search engine.