When Your PMS Gets Hacked and Nobody Picks Up the Phone

Trustpilot

TL;DR: Rental company (Sleep & Stay) was hacked through Avaibook/Guesty — 1,000 guests received spam payment messages — and Avaibook had no help line, responded 32 hours late, and forces users to restart chats with 24-48hr waits; they regret choosing the platform despite it being cheap.

A rental company managing a sizable portfolio recently reported that their property management platform was compromised. Over 1,000 upcoming guests received fraudulent messages through the system, asking them to pay again for reservations they’d already booked. The platform in question — Avaibook, which operates under Guesty — had no phone helpline. The first response came 32 hours after the breach was reported. Each support chat was closed after a single exchange, forcing the operator to restart from scratch and wait another 24–48 hours for follow-up.

The company’s one-star Trustpilot review ends with a line that should make every property manager pause: “It’s cheap yes, but I regret choosing them.”

This isn’t just a story about one bad experience. It’s a case study in why support infrastructure and security posture should rank alongside feature lists when you’re evaluating a PMS.

The Real Cost of a Security Breach in Short-Term Rentals

When a hacker gains access to your PMS and sends messages to guests, the damage radiates outward fast:

• Guest trust evaporates. Guests who receive a fraudulent payment request from what looks like your company may never book with you again — or worse, they pay the scammer.
• Platform standing takes a hit. Airbnb, Booking.com, and VRBO all monitor messaging quality. A flood of spam through official channels can trigger reviews, flags, or suspensions.
• Legal exposure is real. Depending on your jurisdiction, you may have GDPR, CCPA, or other data-protection obligations that kick in the moment guest PII is compromised. A 32-hour response time doesn’t help your compliance posture.
• Revenue bleeds while you wait. Every hour without resolution is an hour where incoming bookings may be diverted, guests may cancel, and your reputation deteriorates.

In a crisis like this, the difference between a 30-minute response and a 32-hour response isn’t just inconvenience — it’s potentially thousands of euros in lost bookings, chargebacks, and reputational damage.

The Support Problem Is Structural, Not Accidental

Avaibook was acquired by Guesty in 2021 to expand Guesty’s European footprint. Operators who chose Avaibook for its low price point and Spanish-market focus sometimes find themselves in a support limbo: the original Avaibook team handles day-to-day queries, but the integration with Guesty’s broader infrastructure can create gaps in accountability.

This pattern isn’t unique to Guesty/Avaibook. Across the PMS landscape, support quality tends to correlate with pricing tier and portfolio size. If you’re paying bottom-dollar rates, you’re likely getting chat-only support with long queues. If you’re managing 500+ units on an enterprise plan, you may get a dedicated account manager and a direct phone line.

The problem: security incidents don’t respect your pricing tier. A breach at a 50-unit operation is just as urgent as one at a 500-unit company. And if your PMS vendor doesn’t have a documented incident-response process — with a phone line, escalation path, and guaranteed response SLA — you’re betting that nothing will ever go wrong.

What to Look For in PMS Security and Support

Before signing with any platform, ask these questions explicitly and get the answers in writing:

1. Is there a phone support line for critical incidents? Chat-only support is fine for “how do I set up a discount code” — it’s unacceptable for “our guests are being scammed right now.”
2. What’s the guaranteed response time for security incidents? Not the average response time. The SLA. In writing.
3. Do you have two-factor authentication (2FA)? If the platform doesn’t enforce or at least support 2FA for all team members, that’s a red flag in 2026.
4. How are API keys and channel credentials stored? Vague answers like “we follow best practices” aren’t good enough. Ask about encryption at rest, key rotation policies, and access logging.
5. What happens to active sessions if a breach is detected? Can the vendor force-invalidate all sessions and API tokens immediately?
6. Is there an assigned account manager for your portfolio size? The operator in the Trustpilot review specifically cited the lack of an account manager as a reason they can’t recommend the platform.

How the Major Platforms Compare on Support and Security

Let’s be honest about the landscape. No PMS is immune to security incidents — what matters is how they’re structured to respond.

Guesty positions itself as enterprise-grade, citing 99.99% uptime and 24/7 support. For operators on Guesty’s core product (not Avaibook), support tends to be more responsive, particularly at higher tiers. But the Avaibook sub-brand operates with a different support model, and the gap is real. If you’re evaluating Guesty, clarify which support tier and team you’ll actually be working with.

Hostaway offers quote-based pricing and doesn’t publicly disclose support SLAs, which means you need to negotiate these terms during the sales process. Operators report mixed experiences — some get responsive account managers, others get routed through slower channels. The platform does consolidate messaging across Airbnb, VRBO, Booking.com, email, SMS, and WhatsApp into a unified inbox, which at least gives you one place to monitor for anomalies.

Hospitable is popular with smaller operators for its automated messaging and task management. Support quality is generally well-regarded for the mid-market, though whether they have a dedicated security-incident response process isn’t prominently documented.

Lodgify emphasizes personalized onboarding and proactive support, which is a good sign for day-to-day operations. For security-specific incidents, operators should verify the escalation path before committing.

Vanio AI takes a different architectural approach: because it’s built as a single system with AI at the core — rather than a legacy PMS with acquired sub-brands — there’s one support infrastructure for all users, not a patchwork of teams from different acquisitions. The platform includes an Operations Watchdog that runs automated daily monitoring across messaging, access codes, smart locks, cleaning, payments, and guest verification, flagging anomalies before they become crises. That said, no platform is hack-proof, and operators should still verify Vanio AI’s specific incident-response SLAs during evaluation.

Lessons From the Breach

The operator’s regret isn’t really about the hack itself. Breaches can happen to anyone. The regret is about choosing a platform where, when the worst happened, there was no one to call and no way to get a fast resolution.

A few takeaways for operators evaluating or re-evaluating their PMS stack in 2026:

• Cheap is expensive when it breaks. A platform that saves you $50/month but costs you 1,000 guest relationships and weeks of reputation repair isn’t cheap at all.
• Support infrastructure is a feature. Treat it with the same weight as channel integrations or pricing tools. Ask for the support SLA document before you sign.
• Acquisitions create support fragmentation. When a platform acquires a smaller tool, the support teams don’t always merge cleanly. Ask which team actually handles your tickets.
• Have a breach playbook regardless of your PMS. Know who to call, what to tell guests, how to notify your channels, and how to document the incident for regulatory purposes. Don’t wait for it to happen.

If you’re currently re-evaluating your PMS — whether because of a security scare, support frustration, or just growing pains — the comparison hub at /compare/ breaks down how the major platforms stack up across features, pricing, and architecture. Start there, and ask the hard questions before you sign.

See the original discussion →