Booking.com has confirmed that unauthorized third parties accessed customer data, triggering a wave of targeted scams against travelers. The company detected "certain suspicious activity" involving unauthorized access to user information, according to an email sent to affected customers.
The breach exposed names, addresses, email addresses, phone numbers, and specific reservation details. While the company has not disclosed the total number of impacted users, it stated that financial data was not part of the leak.
In response to the intrusion, Booking.com forced a reset of reservation PINs for both current and past bookings. The company is communicating directly with affected users via its official noreply@booking.com address.
Scammers weaponize reservation details
Reports from users on Reddit indicate that attackers are already deploying the stolen information. One affected user reported receiving a WhatsApp message containing accurate details of their specific reservation, demonstrating that the stolen data is being used to build trust for fraudulent schemes.
Security experts are also warning about "smishing" variants, where attackers send SMS messages containing malicious links. These messages often claim a reservation is pending or requires immediate action to prevent cancellation.
This incident follows a pattern of escalating threats against the platform. The Guardian reported that Booking.com has faced a growing number of scams even within its own mobile application. Previous attacks involved messages sent through the platform itself, warning users that their bookings were at risk to trick them into providing financial credentials.
In early 2025, cybersecurity firm Eset identified the "ClickFix" technique, a method where users are tricked into running malicious Windows commands to compromise their systems. This tactic was later integrated into phishing campaigns using Booking.com's branding.
The company's history with security breaches dates back several years. In 2024, Booking.com reported a 900% increase in phishing attacks attributed to the use of artificial intelligence. In 2021, Dutch authorities fined the platform 475,000 euros following a hack that exposed the data of over 4,000 customers.
