Image by Cybernews.com
Booking.com is warning customers that their personal data, as well as upcoming travel details, have been exposed after hackers infiltrated the company’s networks earlier this month – with dozens of customers already reporting fake emails and WhatsApp messages claiming to be from the booking site. Reports of phishing messages tied to those reservations continue to surface online.
Key takeaways:
Booking.com says hackers accessed customer reservation data, exposing travel details tied to upcoming trips.
Users are now reporting phishing emails, calls, and WhatsApp messages that appear to target those bookings.
The full scope remains unclear – including how the breach happened and whether stolen data is already being used or sold.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The company began notifying Booking.com customers by email on Sunday, “in the spirit” of “dedication to the security and data protection of our guests.”
ADVERTISEMENT
“We’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation,” the email states.
Booking.com said it had “recently noticed suspicious activity affecting a number of reservations,” and immediately took action to contain the issue.
Booking.com began notifying customers this week about exposed reservation data. Image by Cybernews via Reddit
In a statement sent to Cybernews, Booking.com reiterated that it is “dedicated to the security and data protection of our guests” and had recently detected “suspicious activity” involving unauthorized third parties accessing some guests’ booking information.
“Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests,” the company said.
What data was exposed by hackers?
Booking.com said the initial investigation shows the attackers were able to access private customer information, which could include:
booking details
name(s)
emails
addresses
phone numbers associated with the booking
anything shared with the accommodation
ADVERTISEMENT
Keep in mind that many hotels require travelers to upload a copy of their passports or government-issued IDs to hold those reservations, although those details were not mentioned in the emails to guests.
Booking.com said it has “updated the PIN number of your booking reservation” to help secure the booking, noting that physical addresses were not accessed.
There was also no mention of any payment information, including bank or credit card account numbers, being compromised.
Check if your data has been leaked
Find out if your email, phone number or related personal information might have fallen into the wrong hands.
Your Email or Phone (International format) Check now
18,611,353,922
Breached accounts
36,030
Breached websites
One hotel owner also chimed in on the thread, stating that Booking.com was also notifying host owners about "suspicious activity affecting a number of your guests’ reservations" and warning about the hackers having accessed the customers' reservations.
"If your guests have received suspicious emails or phone calls, these could be from malicious actors pretending to represent Booking.com or your Property. We will remind guests of our payment communication principles and recommend that they stay vigilant for potential criminal activity," Booking.com said.
Booking.com also warned property owners about suspicious activity affecting guests’ reservations. Image by Cybernews via Reddit
The host, as well as many other users, slammed the e-travel company for not being straight up with those reporting the phishing attempts.
Instead, they accuse the company of “making it appear as though the problem is limited to a small number of guests accommodations,” presumably for damage control, “and not wanting to admit to a large hack or exploit in their system.”
Breach details scarce
ADVERTISEMENT
It’s unclear the exact date Booking.com discovered the intrusion, although one Reddit user alleged to have “reported a security breach 15 days ago, and they [booking.com] claimed everything was fine on their end.”
“After several unanswered emails and calls, Booking.com decided to flee and blame the hotel regarding the data leakage,” the user said in one of several posts about the cyber incident.
Travelers are already reporting fake emails and WhatsApp messages tied to their Booking.com reservations. Image by mama_mia | Shutterstock
Several more Booking.com users began echoing the claims, with some receiving phishing emails and WhatsApp messages from random senders referencing upcoming travel reservations booked through the site.
One Booking.com customer reported getting “a lot of calls from ‘the travel agency’ to confirm a reservation.”
“No other info is given and when pressed for further verification they get angry and hang up. When I asked for the name of their company "that's not important,” they described the fraud attempt.
Image by Cybernews
Another Reddit user also reported receiving a similar phishing message via WhatsApp, this time from a sender claiming to be the “check-in manager,” also attempting to confirm a recently booked hotel reservation.
Booking.com did not reveal exactly how the attackers were able to breach the system, whether any group has claimed responsibility for the attack, or what has been done to mitigate the breach.
The conversation on this topic is live. Join in the discussion.
ADVERTISEMENT
It’s also unclear how much data was accessed and whether that sensitive customer data was actually exfiltrated from the networks, which could be sold on hacker forums, leading to further targeted phishing attacks or identity theft.
Booking.com is one of the world’s largest travel platforms, with more than 100 million active mobile app users, over 500 million monthly website visits, and more than 1.1 billion nights booked in 2024. Its annual revenue in 2024 was $23.7 billion, according to Business of Apps.
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
In January, Securonix research found Russian hackers launching a “click-fix” phishing campaign designed to trick Booking.com users into installing malware on their devices – a tactic witnessed by a Cybernews employee last month.
The criminals send fake spoofed emails posing as hotels, alerting the recipient about a canceled reservation and a significant payment charge – often over a thousand euros – prompting victims to investigate by clicking malicious links in the message.
Booking.com is headquartered in Amsterdam, with parent company Booking Holdings based in Connecticut.
Unlock more exclusive Cybernews content on YouTube.
ADVERTISEMENT
Share
Post
Share
Share
Share