Booking.com warns reservation data may have checked out with intruders

Travel giant says names, contact details, dates, and hotel messages potentially exposed

by · The Register

Booking.com is warning customers that their reservation details may have been exposed to unknown attackers, in the latest reminder that the travel giant still can't quite keep a lid on the data flowing through its platform.

The company began emailing affected users over the past few days, saying that "unauthorized third parties" may have accessed booking information tied to their accounts. The data in question appears to include names, contact details, reservation dates, and any messages exchanged with hotels through the platform.

While the company is keen to insist that financial data wasn't accessed, it's far less forthcoming about how many customers are affected. Booking.com did not respond to The Register's request for comment.

In an email to affected users, seen by The Register, Booking.com said it had detected suspicious activity, contained the issue, and reset booking PINs as a precaution. Customers have been told to watch out for phishing attempts, a notable risk given the nature of the exposed data.

"We recently noticed suspicious activity affecting a number of your guests' reservations," the email reads. "This may have led to unauthorized third parties being able to access the booking information for these bookings. We are emailing guests informing them that, in order to secure their booking, the PIN number for their booking confirmation has been changed."

It's not a credit card-skimming free-for-all, but it is exactly the kind of data that makes a convincing phishing email far too easy. The platform's built-in messaging system has been abused for this before, often after hotel accounts were compromised, turning legitimate conversations into a delivery channel for payment scams.

The company has not said how the data was accessed, whether this was tied to a compromise of partner systems, or how long the exposure lasted before it was spotted.

It also isn't the first time Booking.com has found itself in this position. In 2021, Dutch regulators fined the company €475,000 after a breach exposed the personal data of more than 4,000 customers, including credit card details in some cases, following a compromise of hotel staff logins. That incident hinged on attackers gaining access through the supply chain rather than breaking into Booking.com directly, a pattern that has cropped up repeatedly across the travel sector.

If this latest compromise follows a similar script, the breach itself may end up being only half the story. The more immediate risk is follow-on phishing, as attackers use real booking data to craft messages that look legitimate enough to slip past both users and basic security checks. ®

Fake Windows BSODs check in at Europe's hotels to con staff into running malware: Phishers posing as Booking.com use panic-inducing blue screens to bypass security controlsCarly Page, 06 Jan 2026That 'angry guest' email from Booking.com? It's a scam, not a 1-star review: Phishers check in, your credentials check out, Microsoft warnsJessica Lyons, 13 Mar 2025Cybercrooks book a stay in hotel email inboxes to trick staff into spilling credentialsResearch highlights how major attacks like those exploiting Booking.com are executedConnor Jones, 20 Dec 2023Cyberattack brings down InterContinental Hotels' booking systemsOnline booking systems and other services knocked offline amid network intrusionJeff Burt, 06 Sep 2022