Suspected Phishing or Compromised Account: Emergency Plan

If you suspect a Cloudbeds account has been compromised, or if a staff member entered their Cloudbeds username, password, or MFA code on a fake login page, take immediate action. Phishing attacks can give unauthorized users access to your property’s Cloudbeds PMS account within seconds.

This guide explains what to do after a suspected phishing attempt or compromised Cloudbeds login, including how to change the affected user’s password, contact Cloudbeds Support to terminate active sessions, audit user access and activity logs, report the suspicious link, and prevent future phishing attacks with passkeys and safe login practices.

How this usually happens

The most common attack targeting Cloudbeds users looks like this:

1. 🛑A staff member searches "Cloudbeds login" in Google.
2. A malicious sponsored ad appears at the top of the results. It looks identical to the real Cloudbeds login page.
3. The staff member enters their username, password, and even their active MFA code.
4. The attacker captures these credentials in real time and logs into the real Cloudbeds platform within seconds - before the MFA code expires.

Step 1: Change the password immediately

Log in to Cloudbeds using the official link (https://signin.cloudbeds.com) and go to Account-> My Profile-> Change Password. This prevents the attacker from using the stolen credentials to start any new sessions.

‼️Then contact Cloudbeds Support right away. Our team can terminate all active sessions on your account immediately - this is the fastest way to remove anyone currently logged in under your credentials.

If you cannot log in because the attacker has already changed your password: go to the login page and click "Forgot password?" to trigger a reset via your registered email, then contact support.

Step 2: Audit your user list and activity logs

Go to Account-> Settings-> Users and look for anything unexpected.

What to check:

• Any user accounts added recently that you do not recognize
• Any users with elevated permissions (Owner or Manager roles) that should not have them
• Any users with access to data exports (Reservation List, Guest Data exports)

⚠️If you find an unauthorized user: use the three-dot menu next to their name and select to Remove this user from Property immediately. 

Also review your Activity Logs for suspicious actions that may have occurred during the compromised session. Look for:

• Reservation list or guest data exports
• Property profile or settings modifications
• Guest messages sent via GX (Whistle)
• New API keys created

As a precaution, temporarily remove data export permissions from any unverified staff accounts while you investigate.

Step 3: Notify guests who may have been contacted during the compromise

If your Activity Logs show that guest messages were sent via GX during the period you believe the account was compromised, those guests should be notified.

What to do:

1. Identify the guests who received messages during the compromise window by reviewing your GX message history.
2. Contact those guests directly using your official property email or phone - not through GX until you are certain the account is fully secured.
3. Let them know that your property's account was briefly accessed without authorization, that no payment data was exposed, and that any messages they received during that window did not come from your team.
4. If any guests were asked to click a link or provide personal information via those messages, advise them not to act on those requests and to contact your property directly.

Being proactive with guests reduces the risk of further fraud and protects your property's reputation.

Step 4: Report the suspicious link to Cloudbeds

Forward the suspicious URL or phishing email to support with the subject line: Phishing

Include:

• The URL of the fake page (copy from your browser's address bar - do not click it again)
• The date and approximate time the incident occurred
• The email address of the affected staff member

Why this matters: our security team can initiate domain takedown procedures against fake sites, protecting other Cloudbeds customers who might encounter the same link.

Preventing this in the future

Switch to Passkeys - the only truly phishing-proof login method.
Standard MFA codes - including authenticator app codes and SMS - can be captured and replayed by an attacker in real time, as described above. Passkeys and Hardware Security Keys (such as YubiKeys) work differently: they are cryptographically bound to the official Cloudbeds domain and will simply not work on a fake login page. Even if a staff member enters their email on a fraudulent site, there is nothing the attacker can capture or replay.

• Passkeys use your device's built-in biometrics (fingerprint or face scan) and require no additional hardware. How to set up a Passkey
• Hardware Security Keys (YubiKeys) are small USB devices that plug into any computer. They are ideal for shared front desk terminals where a personal phone is not practical. [How to set up a Security Key →]

Bookmarking the official login page is also strongly recommended as a second layer of protection - especially for staff who have not yet switched to Passkeys.

🔖 Official login: https://signin.cloudbeds.com Print this and tape it next to every front desk terminal. Never search "Cloudbeds" in Google to find the login page.