Booking.com data breach exposes customer personal information
Key Takeaways Travel giant Booking.com has confirmed a data breach affecting customer personal information. Compromised data includes names, email addresses, phone numbers, physical addresses, and...
Key Takeaways
- Travel giant Booking.com has confirmed a data breach affecting customer personal information.
- Compromised data includes names, email addresses, phone numbers, physical addresses, and reservation details.
- While financial information was not directly accessed, the exposed data is being used for targeted phishing and social engineering attacks.
- Booking.com has reset affected PINs and is notifying impacted customers, but the full scope of the breach remains undisclosed.
Booking.com Confirms Data Breach, Customer Information Exposed
Global travel booking leader Booking.com has acknowledged a cybersecurity incident, revealing that unauthorized actors gained access to sensitive customer personal data. This breach has exposed details such as names, email addresses, phone numbers, and specific reservation information, immediately raising concerns about an increased risk of targeted phishing campaigns for millions of travelers globally.
Table Of Content
The company, which boasts over 28 million accommodation listings worldwide, confirmed on Monday that it detected suspicious activity linked to numerous customer reservations. Booking.com subsequently began notifying affected users via email, cautioning that “unauthorized third parties may have been able to access certain booking information associated with your reservation.”
Undisclosed Scope and Attack Vector
Despite making a public disclosure, Booking.com has refrained from providing critical details regarding the incident. The company has not disclosed the total number of customers impacted, the specific geographic regions affected, or the precise duration of the unauthorized access period.
A Booking.com spokesperson confirmed to TechCrunch that the company “noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information” and stated that “action to contain the issue” was taken upon discovery. As an immediate security measure, Booking.com reset the PIN numbers associated with compromised reservations and informed the affected guests.
The extent of the compromised data reportedly includes booking specifics, full names, email addresses, physical addresses, phone numbers, and “anything that you may have shared with the accommodation.” Importantly, Booking.com assured The Guardian that financial information was not accessed during the breach. However, it remains unclear whether credit card data stored on the platform was completely isolated from the intrusion.
Stolen Data Already Weaponized for Phishing
Evidence strongly suggests that threat actors are already leveraging the stolen data for malicious purposes. At least one user on Reddit reported receiving a highly targeted WhatsApp phishing message approximately two weeks before receiving an official breach notification from Booking.com. This message notably contained accurate booking details and other personal information, indicating active operationalization of the compromised reservation data for social engineering campaigns designed to impersonate Booking.com or its affiliated accommodation providers.
In response, Booking.com has issued an explicit warning to its customers: the company will never request credit card details via phone, SMS, or WhatsApp, nor will it ask for bank transfers outside of its official booking confirmation protocols.
Pattern of Attacks Against Booking.com Ecosystem
This incident is not isolated and follows a documented history of attacks targeting the Booking.com ecosystem. In late 2023, cybersecurity firm Secureworks identified campaigns utilizing the Vidar infostealer to harvest credentials for hotel administration portals. This allowed attackers to directly message guests with fraudulent payment requests. Furthermore, a November 2025 report by Sekoia.io detailed sophisticated phishing campaigns that deployed ClickFix and PureRAT malware to compromise hotel accounts and subsequently target their customers.
What You Should Do
- Be extremely cautious of unsolicited payment requests received via WhatsApp, SMS, or email, even if they appear to contain accurate booking details.
- Always verify the authenticity of any communication claiming to be from Booking.com or an accommodation provider by contacting them directly through official channels (e.g., the official Booking.com app or website, or a verified hotel phone number).
- Never click on suspicious links in emails or messages.
- Regularly monitor your bank and credit card statements for any unauthorized activity.
- Enable multi-factor authentication (MFA) on your Booking.com account and any associated email accounts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.