ixigo, a major India-based travel and hotel booking platform, suffered a data breach on approximately January 1, 2019 when an attacker affiliated with the GnosticPlayers hacker group exfiltrated approximately 7.23 gigabytes of user data from ixigo's systems. The breach was part of a broader GnosticPlayers attack series that compromised approximately 620 million records across sixteen websites globally, with some sources reporting up to 127 million records across eight websites in the specific tranche containing ixigo. The stolen data was offered for sale on the Dream Market dark-web marketplace beginning February 2019. ixigo founder Aloke Bajpai initially denied the breach when first reported on February 13, 2019, but subsequently acknowledged the incident following further verification.

The breach affected approximately 17.2 million unique user records based on records indexed by Have I Been Pwned and DataBreach.com, with some sources reporting up to 18 million records. Compromised fields included email addresses, full names, salutations, gender, phone numbers, social media profile linkages including Facebook URLs, IP addresses, device information, authentication tokens, usernames, and passwords stored as MD5 hashes. For a small subset of users who used ixigo for international travel booking, the dataset also included passport names and passport identification numbers. The MD5 password storage represents a deprecated cryptographic algorithm vulnerable to rapid brute-force cracking, and ixigo subsequently confirmed the use of MD5 and migrated to stronger hashing.

For affected users, the practical risk profile is significant due to the combination of credential exposure, authentication token exposure, and the inclusion of passport data for the international-travel subset. The MD5 password exposure means original password values are recoverable for many users, supporting credential-stuffing attacks against email, financial, and other Indian platforms where users may have reused the same password. The authentication token exposure may have permitted session hijacking and account takeover attacks during the period before ixigo reset all user passwords and tokens. For users whose passport information was included, the risk extends to international identity-fraud scenarios because passport numbers can support travel-document fraud, border-control identity exploitation, and synthetic-identity construction for opening financial accounts in jurisdictions that accept passport-based identity verification. Affected users should change any reused passwords immediately, enable two-factor authentication on important accounts, monitor financial accounts for unusual activity, and remain alert to travel-themed phishing referencing real ixigo booking history. Users whose passport information was exposed should consider notifying their passport-issuing authority and remaining alert to identity-document fraud over an extended timeframe given that passport numbers do not expire frequently.

Travel-planning platforms collect user accounts, contact details, itineraries, search history, booking-linked data, and location or trip-planning behavior across travel services.

ixigo continues to operate as a major Indian travel platform. Following the January 2019 breach, ixigo founder Aloke Bajpai initially denied the breach claims on February 13, 2019, stating that the company was investigating and had not confirmed the incident. Following further verification by the security research community, ixigo subsequently acknowledged the breach and announced a substantial security response including resetting all user passwords, implementing two-factor authentication, encrypting all personally identifiable information in their databases, conducting regular external API and infrastructure audits by a third-party security firm, implementing perimeter controls, and isolating corporate infrastructure from production infrastructure. The breach was redistributed and indexed by DataBreach.com on March 17, 2025. ixigo has continued to expand its user base and platform capabilities since the 2019 incident without public disclosure of subsequent breaches.