Booking.com says hackers exposed guest booking data, fueling phishing scams

Booking.com customers should watch for fake payment requests and itinerary changes in the next 24 hours, especially messages that cite real reservation details. The company said unauthorized third parties accessed some guest booking information, a breach that can turn names, email addresses, physical addresses, phone numbers, booking details and extra notes shared with accommodations into tools for impersonation and social engineering.

Booking.com said financial information was not accessed, which reduces the risk of card theft but leaves travelers exposed to highly targeted fraud. Courtney Camp, a Booking.com spokesperson, said the company detected suspicious activity, contained the issue, reset PIN numbers for affected reservations and informed guests. The company would not say how many customers were affected or when notifications were sent, leaving two of the most important questions about the incident unanswered.

The exposure matters because travel data is unusually useful to scammers. Reservation records can include trip dates, destination cities, accommodation names and booking IDs, details that make a phishing message look real enough to trigger urgent action. One customer who warned others on Reddit said they later received a phishing message on WhatsApp that contained booking details and personal data, a sign that the stolen information was already being reused. Booking.com’s own security guidance warns that when booking or partner systems are compromised, guests may get messages or phone calls asking for payments that did not come from the property.

The scale of the platform raises the stakes. Booking.com says it has welcomed more than 6.8 billion guest arrivals across its properties since 2010, and it lists more than 28 million accommodations across 43 languages from its base in Amsterdam, Netherlands. Even a narrow compromise can ripple far beyond one hotel or one country when the underlying data can be repackaged into convincing scams. Booking.com also says it offers 24/7 customer support and has more than 370 million verified reviews, part of the trust that makes a reservation account valuable to criminals.

Some users began receiving emails on Sunday evening, and Booking.com later confirmed the incident publicly. The company has not disclosed the full scope of the affected bookings or the timeline of the compromise, but the pattern is clear: once travel data leaves the reservation system, it can quickly become ammunition for phishing, itinerary fraud and identity misuse.