Booking.com Confirms Data Breach as Hackers Target Customers with Phishing Scams

Booking.com Confirms Data Breach as Hackers Target Customers with Phishing Scams

Booking.com has confirmed that unauthorised third parties accessed customers’ personal data, with evidence already emerging that the stolen information is being weaponised in targeted phishing attacks against travellers.

The global travel platform began notifying affected customers last week, sending emails disclosing that hackers may have accessed full names, email addresses, physical addresses, phone numbers, specific booking details and dates, and any personal notes or requests shared directly with accommodation providers. The company confirmed to both TechCrunch and The Guardian that financial information was not among the compromised data, though it has declined to disclose how many customers were affected or when the incident took place.

A Booking.com spokesperson told TechCrunch: “We noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”

Stolen Data Already in Use

One Reddit user who posted a copy of the customer notification told TechCrunch they had received a phishing message via WhatsApp two weeks before Booking.com sent its breach notification. The message included specific booking details and personal information, the kind of granular data that could only have come from inside the platform. Several other Reddit users confirmed they received identical breach notifications from the company.

The timeline suggests hackers had operational use of the stolen data before Booking.com’s own communication reached customers, giving scammers a window to impersonate the platform or accommodation providers with credible, personalised messages.

The NL Times, which reviewed a copy of the customer email, confirmed that the notification does not state when the breach occurred or how many accounts were compromised — details the company has also refused to provide to the media.

A Recurring Vulnerability

This is not the first time Booking.com has been drawn into a security incident involving its hotel partners and customer data. In 2024, hackers installed consumer-grade spyware on computers belonging to several hotels. In one documented case, a victim was logged into their Booking.com administration portal when the stalkerware captured a screenshot of their screen, an incident that illustrated how the platform’s extensive partner network can itself become an attack surface.

The latest incident is similar in the sense that accessing Booking.com customer data does not necessarily require breaching Booking.com’s core infrastructure directly. Third-party access points, partner portals, and property management integrations all represent potential entry routes that a large, distributed travel platform cannot fully control.

What Customers Should Do Now

Anyone who has received a breach notification from Booking.com, or who has made a reservation through the platform recently and has not yet heard anything, should treat unsolicited messages claiming to be from Booking.com, their hotel, or any travel-related service with heightened scepticism, particularly over WhatsApp or SMS, where sender identity is harder to verify.

The exposure of booking-specific details, including dates and accommodation notes, means phishing attempts can be highly persuasive. A message that references your exact check-in date, hotel name, or a dietary request you made is not proof that it comes from a legitimate source.

Booking.com has said it updated PIN numbers for affected reservations, but customers waiting on clarity around the breach’s scale or timing are unlikely to get it soon.