What Happened
Booking.com detected suspicious activity in mid-April 2026 and confirmed unauthorised access to customer booking information. While payment details remained secure, attackers obtained personal and reservation data including:
- Names and email addresses
- Phone numbers and booking references
- Accommodation-related information
The breach has triggered a wave of targeted phishing schemes using legitimate-appearing communications across email, phone, and messaging platforms.
What to Look Out For
Scammers are now armed with real booking data, making their messages convincing. Watch out for:
- Fraudulent messages impersonating Booking.com, hotels, or travel services that reference your specific reservation details
- Requests to confirm bookings, update payment information, or settle alleged balances — especially with urgent language
- Solicitations to install applications, download files, or disclose sensitive personal or financial information
- Phone calls from numbers appearing legitimate that become evasive when questioned
Remember: Booking.com will never ask you to pay through unofficial channels, provide credentials over the phone, or install third-party apps via a link in a message.
How to Protect Yourself
- Verify all communications by logging into your Booking.com account directly — never click links in suspicious messages
- Monitor your email, phone, and financial accounts for unusual activity
- Enable two-factor authentication on your Booking.com account and email
- Contact Booking.com directly through their official website if you believe you have been affected
- Confirm reservation details directly with hotels using verified contact information before travel