Booking.com confirmed Monday that unauthorized third parties accessed personal data belonging to its customers. The breach exposed names, email addresses, physical addresses, phone numbers, and specific booking details.
The travel giant began notifying customers of the security incident last week. Users reported receiving messages stating that unauthorized parties may have accessed information associated with their reservations, including any details shared directly with accommodations.
One customer reported receiving a follow-up phishing attempt via WhatsApp two weeks ago. This message contained specific booking details and personal information, suggesting hackers are using the stolen data to target victims with secondary scams.
Company response
Booking.com spokesperson Courtney Camp told TechCrunch that the company detected suspicious activity involving unauthorized access to guest booking information.
"Upon discovering the activity, we took action to contain the issue," Camp said. She added that the company has updated the PIN numbers for the affected reservations and notified the guests.
Camp declined to provide the total number of customers affected or the specific timeline of the notification process. However, the company told The Guardian that financial information was not accessed during the incident.
This breach follows previous security incidents involving the platform. In 2024, researchers identified spyware infections on hotel computers that allowed attackers to take screenshots of Booking.com administration portals.
