Booking.com confirmed on April 13, 2026 that unauthorized hackers accessed customers reservation information names, emails, phone numbers and hotel messages. Find out what happened how it happened and how you can stay safe.
Booking.com Data Breach : Customer Data Exposed
Booking.com, the world’s largest travel booking website, officially confirmed on April 13, 2026, that hackers had accessed personal information of its customers. This news came to light when thousands of users received an email from the company over the weekend stating that unauthorized third parties had accessed information related to their reservations.
This notification went viral on Reddit when a user shared a screenshot and several others replied that they had also received the same email. By this time, it was clear that the incident was not limited to just one or two people it was widespread.
Booking.com is a company that lists more than 28 million properties worldwide and processes hundreds of millions of bookings each year. When a company of this scale confirms a data breach, its impact isn’t limited to just a technical problem it directly affects the privacy, safety and financial security of real people.
Customer Data Exposure Explained
In its notification Booking.com informed customers that the exposed data could include names, email addresses, phone numbers, and other reservation related details. Furthermore, anything customers shared with the accommodation through the platform, including messages between the hotel and guest was also potentially accessible.
The Register viewed one such email in which the company confirmed suspicious activity, stated the issue was contained, and mentioned resetting booking PINs as a precaution.One important point the company repeatedly emphasized was that no financial or payment information was accessed. SecurityWeek confirmed directly with Booking.com that customer accounts were not breached only some data associated with reservations was accessed by unauthorized parties.
However the company did not disclose how many users were affected how long the data was accessible and exactly through which vector the breach occurred. These questions have not been publicly answered to date.
The Real Threat Phishing Attacks Begin
Even more concerning than the news of the data breach was the news that surfaced soon after the breach. According to a report by Cyber News Centre, some travellers in Australia started receiving messages on WhatsApp mentioning their correct and accurate reservation details even before the official Booking.com notification.
A traveller travelling to Bali became the victim of a $100 scam by a fraudster posing as Booking.com support. BleepingComputer also reported that several Reddit users said that scammers were contacting them with legitimate reservation details, although it is not yet clear whether these incidents are directly linked to the breach or not.
This is what sets this breach apart from just another data leak. When an attacker has your name, your hotel, your check-in date, and your phone number, they can craft a convincing phishing message from this information.
You’ll believe its a genuine message from Booking.com or the hotel because every detail is accurate. This is why cybersecurity experts call this type of breach especially dangerous. Using leaked data in a second-stage attack can be even more devastating than the original breach.
The Hidden Layer Supply Chain Security Issues
What makes this incident even more serious is the history of Booking.com. The Register pointed out that in 2021, the Dutch Data Protection Authority fined the company €475,000 after a similar breach in which data of more than 4,000 customers including credit card details was exposed.
What was the root cause of that incident? Compromise of hotel staffs login credentials means Booking.com system was not directly breached but the attackers accessed the data through the accounts of their partner hotels.
This pattern, known in the security industry as a supply chain attack, is being repeated frequently. Cybersecurity firms like Bridewell and Sequoia have extensively documented how attackers target hotel partners with the Infostealer malware.
They first send a fake guest complaint email to a hotel employee then compromise their Booking.com extranet account by tricking them into clicking on a malicious link. Once the hotel account is compromised, hackers can use that account to send legitimate looking messages from Booking.com directly to guests and even view reservation data.
According to eSecurity Planet deep-dive research, attackers also use internationalized domain names (IDN) homograph technique. Characters from Cyrillic or other alphabets are spelled to look like Latin letters so that the victim doesn’t know that the domain is fake. URLs contain parameters like complaint?optoken= which look like genuine workflow. This is a multi-stage fraud operation. Target the hotel first, then the guests.
AI Has Made Phishing More Dangerous
The threat landscape in 2026 is in a fundamentally different place than it was in 2021. According to analysis by Travel & Tour World, scammers are now using generative AI tools to write flawless professional emails in dozens of languages, without a single grammatical mistake.
The types and awkward phrasing that were previously a way to identify phishing emails no longer exist. Furthermore AI is also being used to automatically scrape and sort leaked data and giving attackers the ability to launch thousands of targeted attacks simultaneously as soon as a breach is confirmed.
This technological shift makes this breach even more concerning. If someone has your name hotel, and booking date AI can send you a highly personalized and professionally written message with accurate information and then get you to click on a link or ask for payment details. This can be very difficult for the average traveler to identify.
Booking.com Statement & What We Still Don’t Know
The company claimed the breach was contained and said all affected users were being notified individually. Reservation PINs were reset, and 24/7 customer support in multiple languages is available. The company also repeatedly reminded that it never asks for credit card details or unusual transfers via email, phone, WhatsApp or SMS.
But what remains unofficially answered are how many customers were affected and what the exact breach vector was, how long the data was accessible and whether it is connected to organized hotel phishing campaigns that have been ongoing over the past year.
Clarity is also missing regarding a compliant response to the 72-hour breach notification requirement under GDPR and Australia’s Privacy Act and both mandated disclosures. CISO Platforms breach intelligence report rated this incident as Critical severity.
What You Should Do Now
If you have a Booking.com account or have recently made a reservation, do these things immediately: Before clicking on any unexpected messages or emails to your account, go directly to the Booking.com app or website. Do not trust any calls, WhatsApp messages or emails asking for payment or personal details without first verifying that they appear legitimate.
Check your current and upcoming reservations and see if any guest names, emails or phone numbers have changed. If you have saved a payment method on Booking.comand review it and delete it if appropriate.The general advice from cybersecurity experts is that travel-related phishing attempts are very convincing because the attacker has real information, so standard didn’t know signs donot work. Just follow one rule before taking any financial action, go directly to the official platform, not just any link.
Final Thoughts
This is Booking.com second major breach involving five salons and the root cause of both appears to be a supply chain vulnerability. Unless a global platform forces its millions of partner hotels to adhere to security standards, this weakest link will always be available to attackers.
The leak of data from a large company through a compromised account at a small partner hotel is a structural problem in the hospitality sector that won’t be solved by just an emergency patch or PIN reset.
