Booking.com has confirmed that hackers accessed certain customer data, including names, email addresses, phone numbers, and booking details such as reservation information and messages shared with accommodations. The company notified affected users via email on Sunday, warning that unauthorized third parties may have obtained this information and urging vigilance against potential exploitation.
According to a company spokesperson cited by TechCrunch, Booking.com detected suspicious activity involving unauthorized access to some guests' booking information and immediately took steps to contain it, including updating PIN numbers for the affected reservations. The breach did not involve financial information, as confirmed to The Guardian, though physical addresses were also excluded from the compromised data per an updated statement. Multiple users reported receiving identical notifications, with one Reddit poster sharing the email's language directly: "We’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation."
This incident builds on a pattern of cyber threats targeting Booking.com's ecosystem. As reported by PCMag and Slashdot, the timing aligns with users receiving phishing attempts, including a WhatsApp message two weeks prior that contained legitimate booking details and personal information to lure victims into confirming banking data. Broader investigations by cybersecurity firms like Sekoia.io reveal ongoing phishing campaigns since 2022, where hackers first infect hotel computers with infostealing malware such as ClickFix or PureRAT, harvest credentials for platforms like Booking.com, and then impersonate hotels to scam customers.
Kaspersky details a similar multi-stage attack: cybercriminals hijack hotel admin accounts on Booking.com—often unprotected by two-factor authentication—review active reservations, and send fraudulent messages via the platform's internal system. These messages claim payment verification errors and direct users to fake Booking.com pages mimicking real bookings, complete with accurate guest names, hotel details, dates, and prices, to steal credit card information.
The implications extend beyond the breach itself, as stolen data fuels targeted fraud. Victims have reported drained credit cards before trips even begin, with scams costing thousands, according to consumer reports from outlets like WJAR. Experts such as scam researcher Steve Weisman emphasize that while Booking.com itself wasn't directly hacked in prior waves, compromised hotel accounts have affected hundreds of properties, tricking users into payments outside official channels.
Booking.com has not disclosed the number of impacted customers or further breach details, despite queries from journalists. Affected users should monitor accounts for phishing, verify reservations directly on the official site or app, and contact credit card issuers for disputes if scammed. As travel rebounds globally, this event underscores vulnerabilities in third-party booking platforms, potentially eroding trust and prompting stricter security measures across the industry.