Full Report
In June 2025, 107k unique customer email addresses were allegedly obtained from TheSqua.re, the "easiest way to find your next serviced apartment". The data also included names, phone numbers and cities which were subsequently posted to a popular hacking forum. TheSqua.re did not respond to repeated attempts to disclose the incident, however multiple impacted HIBP subscribers confirmed the legitimacy and accuracy of the data.
Analysis Summary
# Incident Report: TheSqua.re Customer Data Breach (June 2025)
## Executive Summary
In June 2025, an undisclosed data breach at TheSqua.re resulted in the compromise of 107,000 customer records, including emails, names, phone numbers, and cities. The data was later posted on a hacking forum. The incident was discovered when affected subscribers were cross-referenced via Have I Been Pwned (HIBP), as the company itself did not report the breach.
## Incident Details
- Discovery Date: August 27, 2025 (When data was added to HIBP)
- Incident Date: June 2025
- Affected Organization: TheSqua.re
- Sector: Travel/Accommodation Booking
- Geography: Not specified, implied global customer base based on HIBP listing
## Timeline of Events
### Initial Access
- Date/Time: June 2025 (Approximate)
- Vector: Not specified in the source material.
- Details: Data was allegedly obtained from TheSqua.re systems.
### Lateral Movement
- Details: Not specified.
### Data Exfiltration/Impact
- Details: 107k unique customer email addresses, names, phone numbers, and cities were exfiltrated and subsequently posted on a hacking forum by Threat Actor 888.
### Detection & Response
- Details: The incident was not proactively disclosed by TheSqua.re. Discovery occurred when HIBP subscribers confirmed the data's legitimacy after the data appeared publicly. No organizational response actions were documented regarding containment or eradication.
## Attack Methodology
The source material does not detail the specific technical steps (Initial Access, Privilege Escalation, etc.) taken by the threat actor, only the outcome (data exfiltration).
- Initial Access: Unknown
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Unknown
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: Customer PII (Names, emails, phone numbers, locations)
- Exfiltration: Data posted to a popular hacking forum.
- Impact: Data exposure.
## Impact Assessment
- Financial: Unknown
- Data Breach: 107,000 customer records containing Personally Identifiable Information (PII): Email addresses, names, phone numbers, and geographic locations (cities).
- Operational: No documented operational impact mentioned.
- Reputational: Negative publicity resulting from non-disclosure and data leak confirmation via HIBP.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs are promotional).
- File indicators: None provided.
- Behavioral indicators: Appearance of customer PII on a hacking forum attributed to Threat Actor 888.
## Response Actions
The source material does not detail official response actions taken by TheSqua.re. Public recommendations focused on user mitigation:
- User Mandate: Change TheSqua.re password if not changed since 2025.
- User Mandate: Enable Two-Factor Authentication (if available).
## Lessons Learned
- Lack of transparency and delayed reporting of security incidents can severely damage trust, with breaches often being confirmed externally (e.g., via HIBP).
- The importance of continuous security monitoring to detect unauthorized data staging or exfiltration.
## Recommendations
- Implement robust vulnerability management to prevent initial access vectors used by Threat Actor 888.
- Establish clear security incident disclosure protocols to promptly notify affected customers and regulators if a breach occurs.
- Mandate multi-factor authentication across all internal systems to limit the impact of leaked credentials.