Booking.com warns customers after booking data exposed in security breach

Booking.com customers are being told to treat unexpected messages about a reservation as suspicious after the company said unauthorized third parties may have accessed booking information tied to some stays. The risk is not just privacy loss. With real names, reservation dates and contact details in hand, scammers can stage reservation hijacking, sending convincing emails or WhatsApp messages that look tied to an actual hotel stay and press travelers to re-enter card details on fake pages.

Booking.com said it detected suspicious activity, contained the issue and informed affected guests. The company reset reservation PINs as a precaution and said financial data was not accessed. Still, the exposed information may include names, email addresses, physical addresses, phone numbers linked to the booking, reservation dates, booking details and messages shared with accommodations through the platform. Booking.com did not say how many customers were affected, when the breach occurred, how long the exposure lasted or how it happened.

The immediate warning for travelers is clear: any message asking for payment verification, a password reset or urgent action around a booking should be treated as suspect, especially if it includes real trip details. Cybersecurity officials have long warned that this kind of data makes phishing more persuasive, because attackers can cite a genuine reservation, hotel name or stay dates to lower suspicion before sending a fraudulent link.

The scale of fraud around the platform shows why the breach matters. Booking.com said it blocked more than three million fraudulent accounts from creating reservations in 2024, a sign that criminals already see the service as a lucrative target. The company has also faced a major penalty before. In 2021, the Dutch Data Protection Authority fined Booking.com €475,000 after a breach was reported too late, following a case in which criminals obtained personal data from more than 4,000 customers and credit card information from nearly 300 people.

Security officials in Switzerland have described a common Booking.com scam in which fraudsters take over hotel accounts and send fake messages through the platform itself, using the hotel’s account to ask guests to confirm card details. Reports now say some affected customers have already received scam emails and WhatsApp messages after the latest exposure, underscoring how quickly stolen reservation data can be turned into a live phishing campaign.