Booking.com has notified customers that their reservation details may have been exposed to unauthorized attackers during a recent security incident. The company began emailing affected users over the past few days to report potential access to sensitive booking information.
The exposed data includes names, contact details, reservation dates, and messages exchanged between guests and hotels through the platform. While the company stated that financial data was not accessed, it has not disclosed the total number of customers affected.
In an email to affected users, Booking.com said it had detected suspicious activity, contained the issue, and reset booking PINs as a precaution. "We recently noticed suspicious activity affecting a number of your guests' reservations," the email reads. "This may have led to unauthorized third parties being able to access the booking information for these bookings."
Phishing risks loom
Security experts warn that the nature of the stolen data makes users prime targets for follow-on phishing attacks. Because the breach includes actual hotel messages, attackers can craft highly convincing fraudulent emails that appear to be legitimate communications from the platform.
This is not the first time the platform has struggled with data security. In 202 precisely, Dutch regulators fined Booking.com €475,000 after a breach exposed the personal data of more than 4,000 customers. That incident involved attackers gaining access via compromised hotel staff logins.
Booking.com has not yet clarified how the current data was accessed or if the breach involved a compromise of partner systems. The company did not respond to requests for comment regarding the duration of the exposure.
