Hospitality chain Oyo’s customer data is vulnerable to a breach due to a flaw in its security systems, a cybersecurity researcher revealed on professional networking site LinkedIn. The data include booking IDs, phone numbers, the number of people staying in a room, the date of booking and location.

“I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the WiFi,” Jay Sharma, who reported the vulnerability to the budget rooms provider in August, wrote on LinkedIn. “Why should anybody in the room be forced to share personal information via OTP (one-time password) verification to use WiFi?”

“I researched more and found that the http & ssh ports were open, with no rate limit for the IP which was hosting this. Captcha was a 5-digit number generated by math.random(),” he wrote. “I created a way to brute force the login credentials while executing the captcha. Once login was brute-forced, all the historical data dating back to a few months was accessible.”