Global travel booking giant Booking.com has confirmed a major data breach exposing customer data, including names, email addresses, phone numbers, and reservation details, in a cyberattack that raises serious phishing and identity theft risks. The Booking.com data breach, involving unauthorized access to booking information, is already being exploited by hackers for targeted phishing attacks, putting millions of travelers at risk. Users are now being warned to stay alert for Booking.com scams, fraudulent messages, and suspicious payment requests linked to compromised reservation data.
Booking.com confirmed on Monday that it detected suspicious activity affecting a number of customer reservations. The platform, which lists more than 28 million accommodations globally, notified affected users via email, stating that unauthorized parties “may have been able to access certain booking information associated with your reservation.”
Despite acknowledging the breach, Booking.com has not disclosed how many customers were impacted, which regions were affected, or how long the unauthorized access lasted. A company spokesperson stated that the company identified “suspicious activity involving unauthorized third parties” and acted quickly to contain the incident.
As part of its response, Booking.com reset PIN codes tied to affected reservations and alerted impacted customers. The exposed data reportedly includes full names, email addresses, phone numbers, physical addresses, booking details, and any additional information shared with accommodations. Importantly, Booking.com said financial data was not accessed, although it remains unclear whether stored credit card information was completely isolated from the breach.
There are already signs that attackers are using the stolen data. One reported case involved a user receiving a highly targeted WhatsApp phishing message weeks before the official breach notification. The message reportedly included accurate personal and booking details, suggesting that hackers are actively using the compromised data for social engineering attacks.
This development indicates a broader phishing campaign in which cybercriminals impersonate Booking.com or hotel partners to trick users into sending payments or revealing sensitive information.
Booking.com has emphasized that it will never request credit card details via phone calls, SMS, or WhatsApp, and will not ask customers to make payments outside its official platform.
The incident follows a pattern of attacks targeting the Booking.com ecosystem. In 2023, cybersecurity firm Secureworks uncovered campaigns using the Vidar infostealer to steal hotel admin credentials, allowing attackers to contact guests directly with fraudulent payment requests. A 2025 report by Sekoia.io also highlighted phishing operations using malware such as ClickFix and PureRAT to compromise hotel accounts and target travelers.
Security experts advise Booking.com users to remain cautious of unsolicited messages, verify any payment requests through official channels, and closely monitor their accounts for suspicious activity.
