Japanese sex hotel disaster: search engine leaked customer personal data

The popular Love Hotel search engine Happy Hotel suffered a data breach

Japanese Love Hotel service experiences data breach: customer sensitive data exposed

HappyHotel.jp, a website that is used to book sex hotels in Japan, has suffered a security breach, which resulted in personal data disclosure of its customers. In the announcement published today, the company behind the search engine operation Almex claimed that the incident occurred on December 22, when unauthorized access by the third-party was detected.^[1]

Sex hotels, or otherwise known as love hotels, are designed for couples that want some intimate time together and can be encountered all around the world, although they are more popular in Asian countries, and especially Japan. Happy Hotel is one of many engines used by Japanese for rather private matters, so unexpected sensitive information exposure might result in targeted phishing attacks, money extortion attempts, and another type of fraud from malicious actors.

At the time of the writing, Happy Hotel service is completely taken down, although those who completed their reservations before it wen down will still be able to book into the hotel. Almex apologized for the incident:

We sincerely apologize for the inconvenience and anxiety that may have caused our customers and other concerned parties. The service has been suspended because we are currently investigating the cause and taking measures.

Personal information breached

According to the public announcement, the incident was a direct result of “unauthorized access by a third party” in late December last year. Malicious actors managed to access a variety of customer sensitive information, including:

• Email address
• Login username and password
• Gender
• Date of birth
• Prefecture city/city/town/village

While not fully confirmed, Almex claims that some other sensitive information, such as credit card details, home address, customer's first and last names, as well as other various reservation information, were not breached.

Happy Hotel is not the only hotel booking service that is operated by Almex. The company also runs another site called Loveinn Japan,^[2] which was also taken down for alleged maintenance, although notification about the data breach was provided. As of now, it is unclear whether Loveinn Japan was also affected by the data breach.

HappyHotel.jp was taken down soon after the breach was spotted before Christmas and never came back online since. Almex said that it would announce when the service is going to be back and running again, also providing a contact email info@happyhotel.jp for the inquiries.

Changing passwords might save customers from another account compromise

Almex said that the Happy Hotel login password could have been leaked, so those that reuse the same passwords across multiple services should immediately change them. However, changing the passwords might not suffice, and there is nothing that victims can do about it.

ZDNet, along with an unnamed Japanese security researcher, performed an online investigation and did not manage to find the leaked information being sold on the underground forums.^[3] However, the incident is very fresh, and it is possible that the data might be included in bigger batches or sold separately for the interested parties.

Considering that the leaked data exposes people who are likely to have an extramarital affair, the ramifications of the incident might be enormous. There might be several high-profile company owners or politicians – the data could be easily used to manipulate, extort money, or even shut down companies. Combing this with strict Japanese social norms, as well as one of the highest suicide rates in the world,^[4] the Happy Hotel breach can result in a disaster, just as the Ashley Madison breach did for years.^[5]