ixigo 2019 Data Breach

ixigo Indian Travel & Booking Platform Breach (2019): 17 Million Customer Records Including Passport Numbers & Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

GnosticPlayersMisconfigurationTravelAuthentication TokenDevice InformationEmail AddressFull NameGenderPassport NumberPassword
High SeverityWebsite / service breach

ixigo Indian Travel & Booking Platform Breach (2019): 17 Million Customer Records Including Passport Numbers & Passwords Exposed

Indian travel and booking platform.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
30Data Value
25Market Recency
406dSince Breach

Breach Intelligence Summary

Entity: ixigo · Actor: GnosticPlayers · Sources: 8 references
Attack: Misconfiguration
Profile: Platform · Travel booking and planning · Online travel marketplace · India
Timeline: Breach (2019-01-03) · Indexed (Mar 17, 2025) · Year (2019)
Exposure: 17.2M records · 11 fields: Authentication Token, Device Information, Email Address, Full Name, Gender, Passport Number, Password, Phone Number, Salutation, Social Media Profile, Username
Status: Confirmed

Executive Summary

ixigo, a major India-based travel and hotel booking platform, suffered a data breach on approximately January 1, 2019 when an attacker affiliated with the GnosticPlayers hacker group exfiltrated approximately 7.23 gigabytes of user data from ixigo's systems. The breach was part of a broader GnosticPlayers attack series that compromised approximately 620 million records across sixteen websites globally, with some sources reporting up to 127 million records across eight websites in the specific tranche containing ixigo. The stolen data was offered for sale on the Dream Market dark-web marketplace beginning February 2019. ixigo founder Aloke Bajpai initially denied the breach when first reported on February 13, 2019, but subsequently acknowledged the incident following further verification. The breach affected approximately 17.2 million unique user records based on records indexed by Have I Been Pwned and DataBreach.com, with some sources reporting up to 18 million records. Compromised fields included email addresses, full names, salutations, gender, phone numbers, social media profile linkages including Facebook URLs, IP addresses, device information, authentication tokens, usernames, and passwords stored as MD5 hashes. For a small subset of users who used ixigo for international travel booking, the dataset also included passport names and passport identification numbers. The MD5 password storage represents a deprecated cryptographic algorithm vulnerable to rapid brute-force cracking, and ixigo subsequently confirmed the use of MD5 and migrated to stronger hashing. For affected users, the practical risk profile is significant due to the combination of credential exposure, authentication token exposure, and the inclusion of passport data for the international-travel subset. The MD5 password exposure means original password values are recoverable for many users, supporting credential-stuffing attacks against email, financial, and other Indian platforms where users may have reused the same password. The authentication token exposure may have permitted session hijacking and account takeover attacks during the period before ixigo reset all user passwords and tokens. For users whose passport information was included, the risk extends to international identity-fraud scenarios because passport numbers can support travel-document fraud, border-control identity exploitation, and synthetic-identity construction for opening financial accounts in jurisdictions that accept passport-based identity verification. Affected users should change any reused passwords immediately, enable two-factor authentication on important accounts, monitor financial accounts for unusual activity, and remain alert to travel-themed phishing referencing real ixigo booking history. Users whose passport information was exposed should consider notifying their passport-issuing authority and remaining alert to identity-document fraud over an extended timeframe given that passport numbers do not expire frequently.

ObscureIQ assessment: Exposure enables travel-themed phishing, fraud, and impersonation. Search and itinerary data can also reveal future travel intent and increase physical-security risk.

Breach Impact

The institutional impact on ixigo has been moderate given the platform's prompt and substantive security response after initial denial. ixigo incurred costs associated with the comprehensive security overhaul, password reset across the entire user base, third-party security auditing, and reputational management within the Indian travel-platform sector. Civil litigation has been limited based on publicly available information. The reputational impact concentrated within the Indian online travel agency sector where ixigo competes with MakeMyTrip, Goibibo, Cleartrip, and others. The case has been cited in Indian and international cybersecurity coverage as illustrating both the broad GnosticPlayers attack pattern and a relatively positive example of post-breach security response despite the initial denial. The 2019 breach predates India's Digital Personal Data Protection Act 2023, meaning the regulatory framework that would apply to a similar breach today is materially more stringent than the framework that applied at the time.

About ixigo

ixigo is a major India-based travel and hotel booking platform headquartered in Gurugram, Haryana, founded in 2006 by co-founders Aloke Bajpai and Rajnish Kumar. The platform operates as an online travel marketplace at ixigo.com and through mobile applications, allowing users to compare and book flights, hotels, trains, cabs, and destinations across more than 120 travel suppliers and online travel agencies. ixigo claimed approximately 100 million users as of October 2018, making it one of India's largest travel-booking platforms. As an account-based travel marketplace, ixigo maintained substantial user account data including identity, contact information, demographic profile data, social media linkages used for sign-in, device information, authentication tokens, and travel-document information including passport details for international booking workflows.

Why They Hold Your Data

Travel-planning platforms collect user accounts, contact details, itineraries, search history, booking-linked data, and location or trip-planning behavior across travel services.

Recent Developments

ixigo continues to operate as a major Indian travel platform. Following the January 2019 breach, ixigo founder Aloke Bajpai initially denied the breach claims on February 13, 2019, stating that the company was investigating and had not confirmed the incident. Following further verification by the security research community, ixigo subsequently acknowledged the breach and announced a substantial security response including resetting all user passwords, implementing two-factor authentication, encrypting all personally identifiable information in their databases, conducting regular external API and infrastructure audits by a third-party security firm, implementing perimeter controls, and isolating corporate infrastructure from production infrastructure. The breach was redistributed and indexed by DataBreach.com on March 17, 2025. ixigo has continued to expand its user base and platform capabilities since the 2019 incident without public disclosure of subsequent breaches.

Data Points Exposed

11 verified field types
Authentication Token Critical
Device Information
Email Address
Full Name High
Gender
Passport Number Critical
Password Critical
Phone Number
Salutation
Social Media Profile
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Social media account targeting and impersonation
Threat vectors:
  • Session hijacking & account takeover
  • Device fingerprinting & targeted exploitation
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • International identity fraud & border exploitation
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Professional impersonation seeding
  • Account impersonation & social graph harvesting
  • Cross-platform tracking & credential stuffing

Threat Actor: GnosticPlayers

GnosticPlayers
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the ixigo breach?

ixigo, a major India-based travel and hotel booking platform, suffered a data breach on approximately January 1, 2019 when an attacker affiliated with the GnosticPlayers hacker group exfiltrated approximately 7.23 gigabytes of user data from ixigo's systems. The breach was part of a broader…

What data was exposed?

Verified fields include Authentication Token, Device Information, Email Address, Full Name, Gender, Passport Number, Password, Phone Number, Salutation, Social Media Profile, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation