Booking.com warns reservation data may have checked out with intruders
- Reference: 1776090314
- News link: https://www.theregister.co.uk/2026/04/13/bookingcom_breach/
- Source link:
The company began emailing affected users over the past few days, saying that "unauthorized third parties" may have accessed booking information tied to their accounts. The data in question appears to include names, contact details, reservation dates, and any messages exchanged with hotels through the platform.
While the company is keen to insist that financial data wasn't accessed, it's far less forthcoming about how many customers are affected. Booking.com did not respond to The Register's request for comment.
[1]
In an email to affected users, seen by The Register , Booking.com said it had detected suspicious activity, contained the issue, and reset booking PINs as a precaution. Customers have been told to watch out for phishing attempts, a notable risk given the nature of the exposed data.
[2]
[3]
"We recently noticed suspicious activity affecting a number of your guests' reservations," the email reads. "This may have led to unauthorized third parties being able to access the booking information for these bookings. We are emailing guests informing them that, in order to secure their booking, the PIN number for their booking confirmation has been changed."
It's not a credit card-skimming free-for-all, but it is exactly the kind of data that makes a convincing phishing email far too easy. The platform's built-in messaging system has been [4]abused for this before, often after hotel accounts were compromised, turning legitimate conversations into a delivery channel for payment scams.
[5]Fake Windows BSODs check in at Europe's hotels to con staff into running malware
[6]That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
[7]Cybercrooks book a stay in hotel email inboxes to trick staff into spilling credentials
[8]Cyberattack brings down InterContinental Hotels' booking systems
The company has not said how the data was accessed, whether this was tied to a compromise of partner systems, or how long the exposure lasted before it was spotted.
It also isn't the first time Booking.com has found itself in this position. In 2021, [9]Dutch regulators fined the company €475,000 after a breach exposed the personal data of more than 4,000 customers, including credit card details in some cases, following a compromise of hotel staff logins. That incident hinged on attackers gaining access through the supply chain rather than breaking into Booking.com directly, a pattern that has cropped up repeatedly across the travel sector.
[10]
If this latest compromise follows a similar script, the breach itself may end up being only half the story. The more immediate risk is follow-on phishing, as attackers use real booking data to craft messages that look legitimate enough to slip past both users and basic security checks. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad0TJIudaw8Nou0yH2-IqAAAAsI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad0TJIudaw8Nou0yH2-IqAAAAsI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad0TJIudaw8Nou0yH2-IqAAAAsI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/03/13/bookingdotcom_phishing_campaign/
[5] https://www.theregister.com/2026/01/06/russia_hackers_hotel_bsods/
[6] https://www.theregister.com/2025/03/13/bookingdotcom_phishing_campaign/
[7] https://www.theregister.com/2023/12/20/hotel_cybercrime_research/
[8] https://www.theregister.com/2022/09/06/ihg_hotels_data_breach/
[9] https://www.theregister.com/2021/04/01/booking_dot_com_fine/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad0TJIudaw8Nou0yH2-IqAAAAsI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
It's not just booking.com
I've twice received phishing emails, ostensibly from hotels I have a booking with, name and dates are correct, booking references weren't and the link and send from addresses didn't tally. The emails insisted I needed to confirm my booking within 24 hours or it would be cancelled, I'm guessing the link would require credit card details "to hold your reservation".
In both cases the hotel confirmed it was a scam, the most recent also emailed customers with a booking to warn them. Hopefully they've done something to tighten up systems but it may be the agency they use rather than internally.
ONE login
and yet no one mentions the government's new ONE login.
signed up to renew a passport and within a day i'm getting phishing emails purporting to be from this new one login.
I look forward to the lack of hypocrisy as the government reports itself to the ICO and comes clean
This is not news to me... only the fact that Booking.com finally admitted it.
Some time ago, we received an email, ostensibly from the hotel we had booked with. It had the correct names, dates, and even the booking reference number , and was signed with the name of someone from the hotel's staff. Because of that, it nearly (though not quite) got us. This happened only a couple of days after we made the booking.
This is outright impossible without a persistent, active hack on either Booking.com or the hotel's systems.
I have a suspicion that the booking systems are fairly open with names and dates, with reception, housekeeping, etc. all able to access them. That said there should be stricter controls on when people can see the data (e.g. housekeeping would only need it for the following week) and on any form of bulk download.
Please steal from my house. I'll be gone for 2 weeks in June.
I'd be more concerned about a published list available to everybody of when my home will likely be vacant. Depending on the extent of "names, contact details, ...", I can envision a couple of guys with a moving truck cleaning me out. That's worse than a spam or phishing attack that you can see and defend against.
I got one of these emails but for a booking ten months ago so it's difficult to see what they can do with that. Presumably the hack is against individual hotel accounts and they'll be mainly looking for active bookings to target.
I have a specific email address to use with booking.com. Because of marketing spam it's set to bounce except for a few minutes when I'm expecting a confirmation email. They're not going to have much chance of getting a phishing email through here.