TL;DR: Booking.com confirmed on April 13, 2026 that hackers accessed customer reservation data including names, email addresses, phone numbers, booking details, and private messages between guests and hotels. The company says financial data wasn't taken, but that's cold comfort: scammers are already using stolen booking details to hit travelers with WhatsApp and email phishing scams containing their exact hotel names, dates, and confirmation numbers. Booking.com won't say how many people are affected. The company was already fined €475,000 for a similar breach in 2018 that it reported 22 days late. Security researchers say the attack likely came through compromised hotel partner accounts, a supply chain vulnerability Booking.com has known about for years.
What Booking.com Confirmed
On Sunday evening, April 13, Booking.com started emailing customers about "suspicious activity" linked to their bookings. Communications Manager Sage Hunter confirmed: "We recently became aware of suspicious activity involving unauthorized third-party access to some of our customers' booking information" [1].
Here's what hackers accessed:
- Full names tied to reservations
- Email addresses and phone numbers
- Booking details: hotel names, dates, confirmation numbers
- Private messages between guests and accommodation providers
That last one matters more than it sounds. Those guest-hotel messages often contain passport numbers, medical conditions, dietary restrictions, and arrival details that travelers share when coordinating their stay [2].
Booking.com says no payment card data or account passwords were compromised. They reset PIN numbers on all affected reservations. They claimed the situation was "under control" [3].
They didn't issue a press release. They didn't say how many customers were affected. They didn't say when the breach actually happened.
The Scams Started Before the Notification
Here's the detail that should worry you: some travelers reported receiving phishing messages containing their exact booking details two weeks before Booking.com's official notification went out [4].
One traveler heading to Bali lost $100 to a scammer impersonating Booking.com support via WhatsApp. The message contained their real hotel name, real dates, and real confirmation number [5]. It looked legitimate because the data was legitimate. It had been stolen.
The scam playbook is straightforward: attackers use stolen reservation data to send messages that appear to come from Booking.com or the hotel directly. Common tactics include [4] [6]:
- Fake payment verification: "Your credit card needs to be re-verified before check-in"
- Double-billing requests: "There was a processing error, please pay again through this link"
- "Technical problem" alerts: "Your booking will be cancelled unless you provide bank details within 24 hours"
NordVPN cybersecurity expert Adrianus Warmenhoven explained why this breach is especially dangerous: "When attackers can craft highly convincing, personalized scams that are much harder to detect... They know exactly when you're due to travel, which makes their messages feel urgent and legitimate" [6].
A Supply Chain Problem Booking.com Has Known About for Years
Booking.com won't say exactly how the breach happened. But security researchers have documented the exact attack pattern for months, and it always starts with hotel staff.
Security firms Bridewell and Sekoia have mapped the three-stage attack chain [7] [8]:
Stage 1: Compromise the hotel. Attackers send phishing emails that impersonate Booking.com to hotel staff. The emails lead to fake CAPTCHA pages that trick employees into running malicious PowerShell commands. Those commands install PureRAT, a remote access trojan sold on Russian-language forums as malware-as-a-service [8].
Stage 2: Harvest the data. With PureRAT installed, attackers steal the hotel's Booking.com admin portal credentials. They now have access to every reservation, every guest message, every contact detail flowing through that hotel's Booking.com account.
Stage 3: Target the travelers. Using real booking data from legitimate hotel accounts, attackers send phishing messages through official channels. The messages pass every gut check because they contain real information.
Joshua Penny, Senior Threat Intelligence Analyst at Bridewell, put it bluntly: "The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order" [7].
Sekoia documented this exact playbook in November 2025 as the "I Paid Twice" campaign [8]. Booking.com credentials are actively traded on Russian-language underground forums, with prices ranging from $5 to $5,000 depending on the hotel's size and booking volume [8].
This is not a new vulnerability. Every hotel listed on Booking.com is a potential entry point. The platform has known about supply chain compromise as an attack vector since at least 2023, when Vidar infostealer campaigns first targeted hotel admin portals [4].
Booking.com's Track Record
This isn't the first time. It's not even close.
- 2018: Phone phishing stole credentials from UAE hotel staff, exposing over 4,000 customers. Booking.com reported the breach 22 days late. GDPR requires notification within 72 hours [9].
- 2021: Dutch Data Protection Authority fined Booking.com €475,000 for that late report [10].
- 2023-2024: UK's Action Fraud received 532 reports of Booking.com scams involving compromised hotel accounts, totaling roughly £370,000 in losses [11].
- March 2025: Microsoft documented a phishing campaign delivering credential-stealing malware to hotel staff through fake Booking.com communications [4].
- November 2025: Sekoia documented the "I Paid Twice" campaign using ClickFix and PureRAT against hotel partners [8].
- Earlier in 2026: Hackers exploited Booking.com's chat function to hit hotel guests directly with fraudulent messages [12].
The pattern is clear: attackers compromise hotels, steal booking data, and phish travelers. Booking.com patches individual incidents but hasn't fixed the structural problem: every one of its hotel partners is a potential attack vector.
GDPR Questions Booking.com Needs to Answer
Booking.com is headquartered in Amsterdam, which means the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the lead regulator. The same authority that fined them €475,000 for reporting too late last time [10].
GDPR requires breach notification to supervisory authorities within 72 hours. The questions worth asking:
- When did the breach actually occur? Travelers reported receiving scam messages with real booking data two weeks before Booking.com's notification went out [4].
- How many customers were affected? Booking.com has over 100 million active app users. They refuse to give a number [1].
- Did Booking.com notify the Dutch DPA within 72 hours of discovery? Given their 2018 track record, this is not a hypothetical concern.
- What specific measures were taken to secure hotel partner accounts, the documented attack vector?
As of April 15, no formal investigation has been announced. But when a company with a prior GDPR fine for late reporting declines to disclose breach scope or timeline for its latest incident, regulators tend to notice.
If You Use Booking.com, Do This Now
Treat Every Message as Suspicious
Any email, WhatsApp, SMS, or in-app message asking for payment details or credit card re-verification is almost certainly a scam, even if it contains your exact hotel name and dates. Booking.com says they will "never ask you to share credit card details by email, over the phone, through text or WhatsApp" [3].
Verify Through the App Only
Don't click links in emails or messages about your bookings. Open the Booking.com app directly, log in, and check your reservation status there. If there's a real issue, it'll show up in the app.
Change Your Password
Booking.com says passwords weren't compromised, but if you reuse your Booking.com password elsewhere (and you shouldn't), change it now. Enable two-factor authentication on your account.
Watch for Targeted Phishing
Scammers now know your name, email, phone number, and where you're traveling. Expect phishing attempts that reference your specific trips for weeks or months. Be especially cautious of messages that create urgency around upcoming travel dates.
References
- TechCrunch - Booking.com confirms hackers accessed customers' data (April 13, 2026)
- GBlock - Booking.com hackers got your name, address, and hotel messages (April 2026)
- DutchNews.nl - Booking.com warns customers after reservation data breach (April 2026)
- SOS Ransomware - Booking.com confirms an intrusion: reservation data exposed and risk of targeted phishing (April 2026)
- CyberNewsCentre - Booking.com breach exposes supply chain vulnerabilities (April 14, 2026)
- Travel Weekly - Warning issued after Booking.com data breach (April 2026)
- CX Today - Booking.com data breach shows why CX leaders must rethink trust (April 2026)
- Sekoia - "I Paid Twice" phishing campaign targeting Booking.com hotels and customers (November 2025)
- RTE - Booking.com contacts customers on possible data breach (April 13, 2026)
- European Data Protection Board - Dutch SA fines Booking.com for delay in reporting data breach (2021)
- Insurance Business Magazine - Booking.com breach raises red flags for insurers (April 2026)
- IT Daily - Basic-Fit and Booking.com hit by data breaches (April 2026)
Published: April 15, 2026