Booking.com has confirmed a data breach involving unauthorised access to customer booking details, following what it described as “suspicious activity” on its platform. Via an email sent to users, which was shared on Reddit, the company said “unauthorised third parties” were able to access “some of our guests’ booking information”, prompting an immediate response to contain the incident and secure affected reservations.
According to the company, it has already reset PIN codes linked to impacted bookings and notified affected users. “Upon discovering the activity, we took action to contain the issue,” it said, adding that it has also informed customers whose data may have been exposed. However, Booking.com declined to disclose how many users were affected by the breach.
Sensitive Financial Information Unaffected
While the company confirmed the incident, it emphasised that sensitive financial information was not accessed. Instead, the exposed data may include booking-related details such as names, email addresses, phone numbers, physical addresses, and any additional information shared with accommodation providers as part of a reservation.
The platform, headquartered in Amsterdam and listing over 30 million accommodation options globally, connects millions of travellers to hotels, transport, and experiences. With more than 6.8 billion guest arrivals recorded since 2010, its scale makes it a high-value target for cyberattacks.
Phishing Risks
Security experts warn that the breach could still pose risks even without financial data exposure. Attackers armed with legitimate booking details may attempt highly targeted phishing scams, impersonating Booking.com or accommodation providers. These messages could appear convincing, as they may reference real trips or reservations.
Booking.com has urged users to remain cautious of any unsolicited communications requesting sensitive information. Users are advised not to click on links in emails or messages claiming to be from the company, and instead access their accounts directly through the official website. The company also recommends contacting customer support through verified channels if there are concerns about booking activity or suspicious messages.
(Source: The Guardian / Forbes)
