Yes, the popular online lodging reservations service provider confirmed a data breach earlier this month. Starting on April 12th, 2026, many people received emails from Booking.com warning them of a possible data breach. According to the travel company’s email, unauthorized third parties may have accessed certain information from past or upcoming reservations. The information included booking details and names, email addresses, and phone numbers associated with the reservation. According to Booking.com, even though anything users might have shared with the accommodation provider could have been exposed. The hackers were not able to access any financial or payment information.
Key takeaways
- Booking.com has confirmed a data breach and is notifying customers about changes to reservation PINs.
- The leaked information includes full names, email addresses, and phone numbers associated with the travel reservation.
- Scammers are actively exploiting the stolen data to carry out phishing attacks via email, text, messages, and phone calls.
What happened and who is behind the cyber-attack on Booking.com?
It is currently unclear how the breach occurred, whether the company’s systems were compromised, or whether the hackers exploited a vulnerability in a third-party vendor. It also remains unclear who is behind the actual breach. However, the admin team at Booking.com assured its customers that the issue has been contained. Right after the problem was discovered, Booking.com cut off the hackers and began updating the PINs of the guests’ reservations. The travel marketplace also began notifying its customers about the cyber incident and advised them to be vigilant when clicking any links claiming to be from Booking.com. And to be extra cautious about suspicious emails, texts, and calls.
How are hackers trying to exploit the stolen information?
Travelers report receiving suspicious emails on messaging apps such as WhatsApp. The messages look very convincing because the attackers know important booking details, such as the targets’ full names and booking information. There have been reported attempts by fraudsters to ask Booking.com customers to reconfirm a payment or verify their guest identity. The attackers want people to reshare personal information in hopes of stealing payment information and sensitive personal details that would empower them to commit fraud.
What are the details surrounding the incident, and how many people are affected?
It is unclear how many people have had their personal information leaked, but many Booking.com customers have been affected. Company representatives have been emailing them new reservation PINs. Even a small percentage of affected users could mean the numbers are in the millions. The Amsterdam-based company has a global presence and serves hundreds of millions of people yearly.
Travelers with upcoming trips who need to reconfirm a booking are advised to do so directly on the Booking.com website to manage the reservation. If people receive an email that looks legit, it is still advisable to go to the actual website without clicking any links in the email. And then to enter personal information, including a PIN and reservation numbers. The links in phishing emails can be very convincing, and it is always better to go directly to the “manage booking” section on the travel site. The same goes for phone calls: users who receive a call from someone claiming to be from Booking.com are advised to hang up and call the actual Booking.com phone number listed on the company website if they have any doubts.
