Suspected Phishing or Compromised Account: 3-Step Emergency Plan

If you believe a staff member accidentally entered their Cloudbeds credentials on a fake login page, or if you suspect your account has been accessed without your permission, act immediately. Speed matters.

How this usually happens

The most common attack targeting Cloudbeds users looks like this:

1. 🛑A staff member searches "Cloudbeds login" in Google.
2. A malicious sponsored ad appears at the top of the results. It looks identical to the real Cloudbeds login page.
3. The staff member enters their username, password, and even their active MFA code.
4. The attacker captures these credentials in real time and logs in using them within seconds.

This is why we always recommend bookmarking the official login page and never using a search engine to navigate to it.

Step 1: Change the password immediately

Log in to Cloudbeds using the official link (https://signin.cloudbeds.com) and go to Account-> My Profile-> Change Password. This prevents the attacker from using the stolen credentials to start any new sessions.

‼️Then contact Cloudbeds Support right away. Our team can terminate all active sessions on your account immediately - this is the fastest way to remove anyone currently logged in under your credentials.

If you cannot log in because the attacker has already changed your password: go to the login page and click "Forgot password?" to trigger a reset via your registered email, then contact support.

Step 2: Audit your user list and activity logs

Go to Account-> Settings-> Users and look for anything unexpected.

What to check:

• Any user accounts added recently that you do not recognize
• Any users with elevated permissions (Owner or Manager roles) that should not have them
• Any users with access to data exports (Reservation List, Guest Data exports)

⚠️If you find an unauthorized user: use the three-dot menu next to their name and select to Remove this user from Property immediately. 

Also review your Activity Logs for suspicious actions that may have occurred during the compromised session. Look for:

• Reservation list or guest data exports
• Property profile or settings modifications
• Guest messages sent via GX (Whistle)
• New API keys created

As a precaution, temporarily remove data export permissions from any unverified staff accounts while you investigate.

Step 3: Report the suspicious link to Cloudbeds

Forward the suspicious URL or phishing email to support with the subject line: Phishing

Include:

• The URL of the fake page (copy from your browser's address bar - do not click it again)
• The date and approximate time the incident occurred
• The email address of the affected staff member

Why this matters: our security team can initiate domain takedown procedures against fake sites, protecting other Cloudbeds customers who might encounter the same link.

Preventing this in the future

1. Switch to Passkeys - the only truly phishing-proof login method.
   Even if a staff member lands on a fake Cloudbeds login page, a passkey will not work there. Passkeys are cryptographically bound to the official Cloudbeds domain, so there is nothing to steal. This protection works automatically, regardless of whether your staff recognize a fake page or not.
2. Bookmarking the official login page is also strongly recommended as a second layer of protection - especially for staff who have not yet switched to Passkeys.

🔖 Official login: https://signin.cloudbeds.com Print this and tape it next to every front desk terminal. Never search "Cloudbeds" in Google to find the login page.

For more on securing your property's login setup, see: Admin Guide - SMS & Email MFA and Choose the Best Login & MFA Method for You.