Booking.com is warning customers that their personal data, as well as upcoming travel details, have been exposed after hackers infiltrated the company’s networks earlier this month – with dozens of customers already reporting fake emails and WhatsApp messages claiming to be from the booking site. Reports of phishing messages tied to those reservations continue to surface online.
-
Booking.com says hackers accessed customer reservation data, exposing travel details tied to upcoming trips.
-
Users are now reporting phishing emails, calls, and WhatsApp messages that appear to target those bookings.
-
The full scope remains unclear – including how the breach happened and whether stolen data is already being used or sold.
The company began notifying Booking.com customers by email on Sunday, “in the spirit” of “dedication to the security and data protection of our guests.”
“We’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation,” the email states.
Booking.com said it had “recently noticed suspicious activity affecting a number of reservations,” and immediately took action to contain the issue.
In a statement sent to Cybernews, Booking.com reiterated that it is “dedicated to the security and data protection of our guests” and had recently detected “suspicious activity” involving unauthorized third parties accessing some guests’ booking information.
“Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests,” the company said.
What data was exposed by hackers?
Booking.com said the initial investigation shows the attackers were able to access private customer information, which could include:
- booking details
- name(s)
- emails
- addresses
- phone numbers associated with the booking
- anything shared with the accommodation
Keep in mind that many hotels require travelers to upload a copy of their passports or government-issued IDs to hold those reservations, although those details were not mentioned in the emails to guests.
Booking.com said it has “updated the PIN number of your booking reservation” to help secure the booking, noting that physical addresses were not accessed.
There was also no mention of any payment information, including bank or credit card account numbers, being compromised.
Check if your data has been leaked
One hotel owner also chimed in on the thread, stating that Booking.com was also notifying host owners about "suspicious activity affecting a number of your guests’ reservations" and warning about the hackers having accessed the customers' reservations.
"If your guests have received suspicious emails or phone calls, these could be from malicious actors pretending to represent Booking.com or your Property. We will remind guests of our payment communication principles and recommend that they stay vigilant for potential criminal activity," Booking.com said.
The host, as well as many other users, slammed the e-travel company for not being straight up with those reporting the phishing attempts.
Instead, they accuse the company of “making it appear as though the problem is limited to a small number of guests accommodations,” presumably for damage control, “and not wanting to admit to a large hack or exploit in their system.”
Breach details scarce
It’s unclear the exact date Booking.com discovered the intrusion, although one Reddit user alleged to have “reported a security breach 15 days ago, and they [booking.com] claimed everything was fine on their end.”
“After several unanswered emails and calls, Booking.com decided to flee and blame the hotel regarding the data leakage,” the user said in one of several posts about the cyber incident.
Several more Booking.com users began echoing the claims, with some receiving phishing emails and WhatsApp messages from random senders referencing upcoming travel reservations booked through the site.
One Booking.com customer reported getting “a lot of calls from ‘the travel agency’ to confirm a reservation.”
“No other info is given and when pressed for further verification they get angry and hang up. When I asked for the name of their company "that's not important,” they described the fraud attempt.
Another Reddit user also reported receiving a similar phishing message via WhatsApp, this time from a sender claiming to be the “check-in manager,” also attempting to confirm a recently booked hotel reservation.
Booking.com did not reveal exactly how the attackers were able to breach the system, whether any group has claimed responsibility for the attack, or what has been done to mitigate the breach.
The conversation on this topic is live. Join in the discussion.
It’s also unclear how much data was accessed and whether that sensitive customer data was actually exfiltrated from the networks, which could be sold on hacker forums, leading to further targeted phishing attacks or identity theft.
Booking.com is one of the world’s largest travel platforms, with more than 100 million active mobile app users, over 500 million monthly website visits, and more than 1.1 billion nights booked in 2024. Its annual revenue in 2024 was $23.7 billion, according to Business of Apps.
In January, Securonix research found Russian hackers launching a “click-fix” phishing campaign designed to trick Booking.com users into installing malware on their devices – a tactic witnessed by a Cybernews employee last month.
The criminals send fake spoofed emails posing as hotels, alerting the recipient about a canceled reservation and a significant payment charge – often over a thousand euros – prompting victims to investigate by clicking malicious links in the message.
Booking.com is headquartered in Amsterdam, with parent company Booking Holdings based in Connecticut.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked