Booking.com has begun contacting customers after confirming that a third party accessed parts of its reservation data. The company is describing the incident as a targeted breach affecting an unspecified number of bookings.
According to its own communication to customers, the exposed data may include names, email addresses, phone numbers, postal addresses, and details linked to specific reservations. Booking.com says payment information was not accessed.
The notification email sent to affected users explains that the company detected and contained suspicious activity, limiting the attackers’ access to certain reservation records. As a precaution, the company has reset PIN codes associated with bookings and warned users to remain alert for suspicious messages or calls posing as hotels or customer support.
With booking data in hand, attackers can now use AI to create highly convincing phishing emails. A message referencing a real hotel stay, dates, or location is far more likely to trick someone into sharing payment details or clicking malicious links.
Booking.com has not disclosed how the breach occurred or how many users are affected. However, the fact that the company’s mobile app alone had over 100 million users in 2024 makes the situation more serious. Industry experts like Keven Knight, CEO of Talion, point to this exact risk, stating:
“Given that Booking.com is the largest and most widely used travel agency site in the world, this could turn out to be a sizable attack. Currently, Booking.com is not confirming how many people were impacted or how the attack was carried out, with it only advising in emails what data has been accessed.”
Keven warned that the lack of details from Booking.com puts users at greater risk of phishing, smishing (SMS phishing), Vishing (Voice phishing), and identity fraud. “It is therefore advised to use caution, ensuring all emails and communications requesting financial and personal data are thoroughly vetted before being actioned.“
Booking.com and Cybersecurity
This is not the first time Booking.com has dealt with security challenges. The platform has previously been used as a channel for phishing campaigns, often involving compromised hotel accounts. Those past incidents already showed how effective travel-related scams can be when they appear credible.
If you have a Booking.com account, treat unexpected messages or calls about bookings with caution, especially if they involve urgency or payment requests.
