Global travel booking giant Booking.com has confirmed a cyberattack in which unauthorized third parties gained access to customers’ personal data, including names, email addresses, phone numbers, and reservation details, raising immediate concerns about downstream phishing attacks targeting millions of travelers worldwide.
Booking.com confirmed on Monday that it had detected suspicious activity across a number of customer reservations. The company, which hosts over 28 million accommodation listings worldwide, notified affected customers via email, warning that “unauthorized third parties may have been able to access certain booking information associated with your reservation”.
Despite the public disclosure, Booking.com declined to reveal the total number of customers impacted, the specific regions affected, or the exact timeframe during which unauthorized access occurred.
A company spokesperson confirmed to TechCrunch that Booking.com “noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information” and that the company “took action to contain the issue” upon discovery.
As an immediate security measure, Booking.com reset the PIN numbers associated with affected reservations and informed impacted guests.
The compromised data reportedly includes booking details, full names, email addresses, physical addresses, phone numbers, and “anything that you may have shared with the accommodation”.
Critically, Booking.com confirmed to The Guardian that financial information was not accessed during the breach. However, it remains unclear whether the credit card data stored on the platform was fully isolated from the intrusion.
Evidence suggests threat actors are already weaponizing the stolen data. At least one affected Reddit user reported receiving a targeted WhatsApp phishing message two weeks prior to receiving the breach notification, a message that contained accurate booking details and personal information.
This strongly indicates that stolen reservation data is being actively operationalized for social engineering campaigns impersonating Booking.com or affiliated accommodation providers.
Booking.com has explicitly warned customers that it will never request credit card details over the phone, via SMS, or via WhatsApp, nor will it request bank transfers outside of official booking confirmation guidelines.
This incident follows a well-documented pattern of attacks targeting the Booking.com ecosystem. In late 2023, cybersecurity firm Secureworks identified campaigns using the Vidar infostealer to harvest hotel admin portal credentials, enabling attackers to directly message guests with fraudulent payment requests.
A November 2025 report by Sekoia.io further detailed phishing campaigns leveraging ClickFix and PureRAT malware to compromise hotel accounts and target customers.
Security researchers urge Booking.com users to remain vigilant against unsolicited payment requests via WhatsApp or email, verify all communications through official channels, and monitor accounts for suspicious activity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
