Customers of the travel giant are facing renewed concerns over security after a recent booking breach exposed sensitive reservation information.
Summary
Booking.com confirms unauthorized access to customer data
Booking.com has confirmed that hackers may have accessed customers’ personal data, including names, email addresses, physical addresses, phone numbers, and booking details. The company notified affected users over the past week, according to several online posts shared on forums and social platforms.
The notification sent to customers stated: “We are writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation.” Moreover, the message listed the categories of data that may have been exposed, such as contact details, stay information and “anything that you may have shared with the accommodation.”
Several Reddit users reported receiving the same alert and posted screenshots of the message. However, Booking.com has not yet publicly disclosed how many customers were impacted or which regions and partners were involved in the incident.
Phishing attacks suggest active misuse of stolen information
The Reddit user who first shared the notification told TechCrunch that they received a phishing message on WhatsApp about two weeks before the email notice arrived. The phishing attempt allegedly included “booking details and personal information,” suggesting that criminals are already exploiting the exposed data to impersonate the company.
That said, the timing of the phishing messages and the alerts from Booking.com indicates a coordinated attempt to leverage the stolen information. Customers who recently stayed at hotels or apartments using the platform appear to be targets for social engineering aimed at extracting payment details or further personal data.
In a statement to TechCrunch, Courtney Camp, a spokesperson for Booking.com, confirmed that the company had observed irregular activity tied to guest records. “We noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests,” Camp said.
Company response and limits of the compromise
Camp declined to answer TechCrunch’s specific questions about the total number of affected customers and the geographical spread of the incident. However, Booking.com emphasized that payment data was not exposed in this case, and that only certain reservation details and contact information were at risk.
The company told The Guardian that its investigation shows “financial information was not accessed” during the security incident. Moreover, the platform stressed that it had reset related credentials and PINs to block any further misuse of the compromised reservation data.
While the exact scale of this booking breach remains undisclosed, the nature of the accessed data could still enable realistic phishing and fraud attempts. Names, stay dates, property details and communication history can help attackers craft convincing messages that trick guests into sharing card information or clicking malicious links.
Previous security concerns around hotel and travel systems
This latest case comes against a broader backdrop of cybersecurity issues in the travel and hospitality sector. In 2024, TechCrunch reported that hackers had infected several hotels’ computers with consumer-grade spyware, also known as stalkerware. These tools, often marketed for domestic surveillance, can secretly capture screenshots, keystrokes and other activity from an infected device.
In one documented case, a victim was logged into their Booking.com administration portal when the PcTattleTale stalkerware took a screenshot of their screen. That incident illustrated how compromised hotel systems can expose not only internal operations, but also guest reservation data linked to major online booking platforms.
Moreover, these earlier reports highlighted how attackers may chain multiple weaknesses together. Infected hotel PCs, insecure Wi-Fi networks and reused passwords across portals can all contribute to broader leaks of reservation information and contact details.
Scale of the platform and potential exposure
According to Booking.com’s own website, 6.8 billion customers have booked hotel rooms and homes through the service since 2010. While there is no indication that all historical records were exposed in this incident, the platform’s massive scale means that even a limited breach could affect a significant number of travelers and partners.
However, the company has so far disclosed only high-level information, focusing on the fact that payment data was not compromised. Without more specific figures or a precise timeline, customers and accommodations are left to infer the risk based on recent stays and any suspicious messages received on channels like email, SMS or WhatsApp.
Security experts note that any travel site security breach involving detailed itinerary and contact information can remain dangerous long after the initial event. Attackers often store stolen data and reuse it for months in targeted phishing campaigns that appear legitimate because they reference real bookings and destinations.
What affected customers should watch for
For now, Booking.com says it has contained the issue by updating PIN numbers and notifying guests whose reservations were linked to the suspicious activity. That said, users are strongly advised to be wary of unsolicited messages asking for payments, card details or verification codes, even if the sender appears to know their stay dates and property names.
Moreover, security best practices suggest verifying any payment-related request directly inside the official Booking.com app or website, rather than following links in messages. Guests should also monitor their email accounts and messaging apps for unusual activity, report suspicious contacts to the platform, and consider enabling additional security features where available.
In summary, Booking.com’s confirmation of unauthorized access underscores persistent cybersecurity challenges for global travel platforms. While financial data was reportedly not exposed, the combination of personal details and booking information can still fuel highly convincing phishing attacks, making user vigilance and transparent communication essential in the incident’s aftermath.
