Booking.com has confirmed that cybercriminals potentially accessed personal information belonging to its users, raising alarms in the travel sector.
The company notified affected customers last week about the breach, which involved names, email addresses, phone numbers, and reservation specifics. Reports from users on social media platforms quickly highlighted the scale of these alerts.
A Reddit user shared the exact wording of the notification they received. “We’re writing to inform you that unauthorised third parties may have been able to access certain booking information associated with your reservation.” Many others chimed in to say they got the same message, which also mentioned “anything that you may have shared with the accommodation as at risk.”
The plot thickened when that same user told TechCrunch about a phishing attempt via WhatsApp two weeks earlier. The message contained booking details and personal information, suggesting attackers are now using the stolen data to target victims further. Such scams have become a hallmark of breaches in the online travel space.
Courtney Camp, a Booking.com spokesperson, provided limited details to TechCrunch. She said, “the firm noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.” Camp declined to specify how many people were hit or notified.
The company assured The Guardian that financial information was not accessed, offering some relief amid the fallout.
This episode echoes prior vulnerabilities exposed by TechCrunch in 2024, when stalkerware infected hotel computers and even captured screenshots of Booking.com admin screens. With 6.8 billion bookings processed since 2010 according to its own figures, the platform’s exposure is immense. Cybersecurity reports from firms like Mandiant warn that travel sites remain hotspots for data theft by sophisticated groups.
Booking.com now advises customers to stay alert for phishing and has pledged a full probe. Security experts urge enabling multi-factor authentication everywhere to mitigate risks.