Booking.com confirms customer data accessed in cyberattack

Booking.com confirmed on Monday that hackers may have gained access to customers’ personal information, including names, email addresses, phone numbers, and reservation details. The global travel and accommodation booking company began notifying affected users about the breach over the past week, as reflected in several posts shared online.

A notification sent to customers stated that unauthorised parties may have accessed booking-related data tied to their reservations. According to a post shared on Reddit, the message read: “We’re writing to inform you that unauthorised third parties may have been able to access certain booking information associated with your reservation.” Multiple other users responding to the same thread indicated they had received similar alerts.

The notification outlined the types of information that may have been compromised, including booking details, contact information, and any additional data shared directly with the accommodation providers.

The individual who posted the message also said they received a phishing attempt through WhatsApp approximately two weeks earlier. The message reportedly included specific booking details and personal information, suggesting that attackers may already be using the stolen data to target Booking.com users with scams.

A company spokesperson, Courtney Camp, confirmed that Booking.com detected unusual activity involving unauthorised access to certain guest booking data. The company stated that once the activity was identified, it took steps to contain the issue. As part of its response, Booking.com reset PIN codes associated with the affected reservations and informed impacted customers.

The company also clarified in a statement to The Guardian that financial information was not part of the compromised data.

This incident follows previous security concerns linked to the platform. In 2024, reports indicated that hackers had infected computers at several hotels with consumer-grade spyware, sometimes referred to as stalkerware. In one instance, a victim who was logged into their Booking.com administrative portal had their screen captured by the spyware pcTattletale.

According to information published on Booking.com’s website, approximately 6.8 billion hotel and accommodation bookings have been made through the platform since 2010, underscoring the scale of potential exposure in incidents like this.