Booking.com Confirms Data Breach Exposing Reservation Details for Unknown Number of Travelers as Phishing Risks Mount
Booking.com confirmed hackers accessed customer names, contact details, and reservation data, forcing PIN resets across the platform while declining to disclose how many users were affected.
Overview
Booking.com, the world’s largest online travel platform, confirmed over the weekend that hackers gained unauthorized access to customer reservation data, exposing names, contact information, and booking details for an undisclosed number of travelers. The company has forced PIN resets on affected reservations and begun notifying impacted users, but has declined to reveal how the breach occurred or how many customers are affected.
What We Know
The company began sending notification emails to affected customers over the weekend of April 12-13, warning that “unauthorized third parties may have been able to access certain booking information,” according to TechCrunch.
The exposed data includes full names, email addresses, phone numbers, and specific information that customers shared with accommodation providers through the platform, as reported by BleepingComputer. The company emphasized that financial information, including credit card data, was not compromised.
Booking.com’s communications lead Sage Hunter told BleepingComputer that “upon discovering the activity, we took action to contain the issue.” The company forced PIN resets for both existing and past reservations and provided updated credentials to affected users in the notification emails.
The platform has not disclosed the number of affected customers. A Booking.com spokesperson told TechCrunch that every affected user would be notified individually, but the company declined to answer questions about the breach’s total scope.
Phishing Risks
Security experts warn that the stolen data is particularly dangerous for social engineering attacks. Keven Knight, CEO of cybersecurity firm Talion, cautioned that attackers possessing “personal details and previous bookings” could craft “highly tailored” phishing communications, according to Help Net Security.
Some Reddit users reported being targeted by scammers using private reservation information via WhatsApp in the weeks preceding the official disclosure, as noted by BleepingComputer. Messages containing stolen booking data were reportedly sent as early as mid-March, according to TechCrunch, raising questions about how long the unauthorized access persisted before detection.
What We Don’t Know
Several critical questions remain unanswered. Booking.com has not disclosed the technical mechanism behind the breach, whether the intrusion exploited its own systems or compromised partner accounts, or how long the exposure lasted. The Register noted that the company declined to comment when asked for these details.
The total number of affected users is also unclear. Booking.com claims more than 100 million mobile app users, making the potential exposure significant even if only a fraction of accounts were compromised.
Historical Context
This is not the first time Booking.com has faced a data exposure incident. A 2021 breach exposed data for more than 4,000 customers after hotel staff login credentials were compromised, resulting in a 475,000 euro fine from Dutch regulators, as reported by The Register. The travel platform has also been a persistent target for phishing campaigns that exploit the trust travelers place in booking confirmation messages.
The incident arrives as the European Union’s General Data Protection Regulation enforcement continues to intensify, and as major travel platforms increasingly become targets for threat actors seeking data that can be weaponized for highly convincing social engineering campaigns.