Key Findings

• Booking.com confirmed a targeted data breach affecting reservation records

• Exposed data includes names, email addresses, phone numbers, postal addresses, and booking details

• Payment information was not accessed

• Company has not disclosed the number of affected users or attack methodology

• Reservation PIN codes have been reset as a precaution

• Over 100 million users accessed the mobile app in 2024, amplifying breach severity

• Attackers can now leverage booking data to conduct highly convincing phishing campaigns

• This is not Booking.com's first security incident

Background

Booking.com is the world's largest and most widely used online travel agency, specializing in accommodation bookings including hotels, vacation rentals, and apartments. The company serves a massive user base and holds sensitive travel and personal information for millions of customers globally. The platform has previously been exploited as a channel for phishing campaigns, often involving compromised hotel accounts, demonstrating the effectiveness of travel-related scams when they appear credible.

Scope of the Breach

Booking.com detected suspicious activity affecting a number of reservations and immediately contained the issue. The accessed information could include booking details, names, email addresses, postal addresses, phone numbers associated with bookings, and information shared directly with accommodations. However, the company has remained vague about the actual number of users impacted. Given that Booking.com's mobile app alone had over 100 million users in 2024, the potential scale of the incident could be substantial.

Attack Methodology and Technical Details

The company has not disclosed how the breach occurred or whether attackers actually compromised Booking.com's systems. This lack of transparency has raised concerns among cybersecurity experts. The company's notification to users only confirms that unauthorized third parties accessed certain booking information and that the issue has now been contained.

Phishing and Secondary Attack Risk

Industry experts warn that booking data in the hands of attackers presents significant follow-up threats. With real hotel names, dates, locations, and customer names, attackers can use artificial intelligence to craft highly convincing phishing emails that are far more likely to trick users into sharing payment details or clicking malicious links. Keven Knight, CEO of Talion, emphasizes that the lack of disclosure from Booking.com compounds this risk, leaving users vulnerable to phishing, smishing, vishing, and identity fraud. Recent reports indicate that some users have already received suspicious communications referencing their actual booking details.

Recommended User Actions

Booking.com has urged customers to remain vigilant against suspicious messages and calls. The company emphasizes that it never requests card details or unusual transfers via email, phone, WhatsApp, or SMS. Users should treat unexpected communications about bookings with extreme caution, especially those involving urgency or payment requests. All emails and communications requesting financial or personal data should be thoroughly vetted before any action is taken.

Sources

• https://hackread.com/booking-com-data-breach-hackers-customer-details/

• https://securityaffairs.com/190757/data-breach/hackers-access-booking-com-user-data-company-secures-systems.html