Booking.com has confirmed a major cyber incident detected on April 13, 2026, in which unauthorized third parties accessed sensitive reservation data belonging to millions of customers. The travel giant has linked the activity to the criminal cluster tracked as Storm-1865, which siphoned data from more than 170 hospitality facilities worldwide. While financial information was reportedly untouched, the stolen contextual data is already fueling a global wave of "reservation hijacking" scams.

What Happened

Booking.com detected suspicious activity on April 13, 2026, traced to a campaign targeting hotel partners rather than the central platform itself. Investigators attribute the activity to Storm-1865, a financially motivated criminal group that has spent months compromising hospitality providers connected to Booking.com's partner ecosystem.

The company has since acknowledged the incident in customer notifications, forcibly reset reservation PINs, and issued an urgent phishing warning to its roughly 100 million active app users. The full scale remains undisclosed, with no confirmed victim count released so far.

What Was Taken

The exposed dataset is consistent across affected reservations and includes:

Booking.com states that payment card data and other financial information were not accessed. However, the combination of identity, contact, and travel context is exactly the recipe needed for high-conversion social engineering.

Why It Matters

This is not a credential dump or a financial heist, it is a contextual data breach. Travel itineraries, hotel names, check-in dates, and personal contact channels give attackers everything they need to impersonate legitimate parties with surgical precision.

Victims are receiving messages via email, WhatsApp, and in-app chat that reference real bookings, real hotels, and real dates, making fraudulent payment requests indistinguishable from genuine ones. In a time-sensitive industry like travel, the pressure of an imminent stay sharply raises the success rate of these scams.

For defenders, the incident is a reminder that supply chain compromise of partner ecosystems can be just as damaging as a breach of the central platform.

The Attack Technique

According to investigators, Storm-1865 ran a large-scale campaign against Booking.com's hotel partners rather than directly attacking the platform's core systems. The group reportedly used automated Python scripts to scrape and exfiltrate reservation data from compromised partner accounts and extranet portals across more than 170 hospitality facilities.

Once obtained, the records are funneled into reservation hijacking workflows: scammers contact guests posing as hotels or Booking.com support, request payment "verification," and route funds through attacker-controlled channels. The technique mirrors prior Storm-1865 operations against the hospitality sector, where partner extranet credentials are typically harvested via phishing before automated tooling takes over.

What Organizations Should Do

  1. Audit partner extranet access. Hospitality operators using Booking.com's partner portal should rotate credentials, enforce MFA, and review session logs for unfamiliar IPs or scripted access patterns.
  2. Hunt for Storm-1865 indicators. Look for automated Python user agents, anomalous bulk reservation queries, and exfiltration spikes from partner accounts over the past 90 days.
  3. Reset reservation PINs and notify guests. Any property suspected of compromise should reissue booking PINs and proactively warn guests about payment scams referencing real itineraries.
  4. Harden out-of-band communications. Train staff and customers that legitimate payment requests will never come via WhatsApp or unsolicited messaging tied to existing reservations.
  5. Deploy phishing-resistant MFA on partner portals. Move away from SMS or app-push MFA toward FIDO2 keys for any account with access to guest PII.
  6. Monitor brand abuse channels. Track lookalike domains, spoofed sender addresses, and fake support numbers using Booking.com branding to enable rapid takedown.

Sources: Booking.com Data Breach Exposes Customer Information, Fuels Scam Concerns | IBTimes UK