According to reports, the attackers gained access to names, email addresses, phone numbers, as well as information related to past and current bookings. The company states that no financial data was accessed from its own systems, but acknowledges that the type of data exposed is sufficient to fuel a new, more dangerous wave of fraud.

In messages sent to customers, cited by BBC, Booking.com said: “We recently identified suspicious activity affecting a number of bookings and immediately took action to contain the incident.”

The company has already updated booking PINs and is sending warning emails to potentially affected customers, highlighting an increased risk of scams. However, it has not disclosed how many users were affected or in which regions.

This type of fraud is already known as “reservation hijacks.” In practice, scammers pose as hotels or partner accommodations and contact customers, requesting money or payment details under the pretext of an issue with their booking.

Experts warn that this new breach makes such scams even more effective, as criminals no longer rely on generic messages—they can now reference real booking details, correct travel dates, actual accommodation information, and accurate contact data.

Booking.com urges customers to remain particularly cautious about phishing attempts and emphasizes: it will never ask guests to share credit card details via email, phone, WhatsApp, or SMS, nor request bank transfers outside the payment terms stated in the booking confirmation.

The platform has long been a frequent target for cyber fraud due to its size and global reach. The BBC notes that since 2023 there have been repeated cases where hackers accessed hotel accounts within the system and used them to send fake messages to customers.

The key difference now is that, after this breach, attackers may not even need to hack hotel accounts—they can directly approach travelers using real data, significantly increasing the chances of success.