Booking.com has confirmed that hackers may have accessed customers’ personal and booking information in a security incident. The company notified guests that “unauthorized third parties may have been able to access certain booking information associated with your reservation,” according to customer notifications reported by TechCrunch. The incident, disclosed after suspicious activity was detected, involved reservation systems and customer data exposure.
What Booking.com says was accessed
In customer notifications described by TechCrunch, Booking.com told guests that unauthorized parties may have accessed names, emails, physical addresses, phone numbers, and booking details. The message also indicated that the compromised data could include “anything that you may have shared with the accommodation,” linking the breach to both Booking.com’s records and data shared between travelers and property partners.
Booking.com spokesperson Courtney Camp told TechCrunch that the company “noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information.” Upon discovering the activity, the company took steps “to contain the issue,” including updating the PIN number for these reservations and informing guests.
Booking.com told The Guardian that financial information was not accessed. However, Camp declined to answer specific questions from TechCrunch, including how many customers were affected and when the company notified them.
Connection to phishing activity
According to TechCrunch’s reporting, a Reddit user shared that they received a phishing message via WhatsApp approximately two weeks before Booking.com’s public notification. The message included “booking details and personal information.”
This timing and content suggest that stolen Booking.com data may have been used to make phishing lures more convincing. While the source does not provide technical evidence linking the phishing campaign directly to the intrusion, the sequence—data exposure followed by targeted messages—follows a common pattern in data breaches where attackers use stolen information to increase the effectiveness of social engineering attacks.
The presence of booking-specific details in a WhatsApp message indicates that the exposed data could be used by attackers beyond the initial unauthorized access. Additional customer reports of similar messages could indicate how attackers operationalize exposed information.
PIN updates as a technical response
Booking.com’s response included updating the PIN number for these reservations. This detail indicates a specific control within reservation workflows: a per-reservation secret used to gate access to booking-related information or actions.
PIN rotation is typically used when there is reason to believe that a secret may have been compromised or could be exploited by an attacker who gained access to booking metadata. The source does not specify the exact role of the PIN—whether it gates check-in instructions, messaging, or accommodation portal access—but it indicates that Booking.com treated the PIN as part of its response.
Camp’s statement that the company “took action to contain the issue” after noticing suspicious activity suggests a rapid response. However, TechCrunch notes that the spokesperson did not answer questions about scope and timing. This gap means the full extent of the incident—whether PIN updates were applied universally or only to affected reservations, and how long suspicious activity persisted—remains unclear.
Context: Prior security incidents at Booking.com
In 2024, TechCrunch reported that hackers had infected several hotels’ computers with consumer-grade spyware. In one case, a victim was logged into their Booking.com administration portal when the stalkerware captured a screenshot. While this prior incident does not explain the method behind the current breach, it demonstrates that Booking.com’s ecosystem has been exposed to threats involving compromised endpoints and credential capture.
The 2024 incident and the current breach suggest that security challenges in travel technology span multiple layers: endpoint compromise and screenshot capture, as well as unauthorized access to booking information and subsequent phishing campaigns. This indicates that security teams in hospitality and travel technology need to address both infrastructure security and data-driven social engineering as interconnected concerns.
What remains unclear
TechCrunch reports that Booking.com declined to provide certain details, including the number of customers affected and the notification timeline. The full technical and operational scope of the incident remains unclear. Key unknowns include the affected time window, the exact access path, and whether data types beyond those listed in the notification message were involved.
The confirmation that financial information was not accessed may limit immediate fraud risk, but it does not eliminate other risks tied to personal data exposure. Booking details can be used to impersonate properties, travelers, or support channels. The reported WhatsApp phishing that included booking details demonstrates that even non-financial data can be operationally valuable to attackers.
Source: TechCrunch