Booking.com: Storm-1865 Reservation Hijacking Breach

Booking.com has confirmed a major cyber incident in which unauthorised third parties accessed sensitive reservation data belonging to millions of customers. The breach, detected on 13 April 2026, has been linked to the criminal group Storm-1865 and has already triggered a global wave of "reservation hijacking" scams targeting travellers.

What Happened

Booking.com disclosed that attackers accessed reservation details stored across its hospitality partner ecosystem. Rather than breaching the central platform directly, Storm-1865 is reported to have compromised more than 170 hospitality facilities worldwide, siphoning booking data that feeds into the Booking.com reservation flow. The company has forcibly reset reservation PINs and issued an urgent phishing warning to its 100 million active app users. The exact number of affected customers remains undisclosed.

What Was Taken

Exposed records reportedly include customer names, email addresses, phone numbers, physical addresses, and full booking details such as travel dates, accommodation, and itinerary information. Booking.com states that financial information, including credit card details, was not accessed. While not financial in nature, this "contextual" data is high-value for social engineering because it ties a real traveller to a real, upcoming transaction.

Why It Matters

This incident highlights the growing weaponisation of contextual data over credentials or payment information. With a legitimate itinerary in hand, attackers can impersonate hotels or Booking.com support with high fidelity, bypassing the scepticism that normally protects users from generic phishing. The travel sector's time-sensitive nature, last-minute changes, urgent payment windows, and cross-border bookings, amplifies pressure on victims and shrinks the window for detection. For defenders, the breach is a reminder that third-party partner ecosystems can be a softer, more lucrative target than a hardened central platform.

The Attack Technique

Investigators attribute the campaign to Storm-1865, a financially motivated threat cluster known for hospitality-sector targeting. The group reportedly deployed automated Python scripts to harvest reservation data from partner hotel systems at scale. Compromised booking context is then used to push victims into fraudulent payment flows via email, WhatsApp, and in-app messaging, with lures referencing real reservation numbers, dates, and properties. The pattern is consistent with earlier Storm-1865 activity targeting hotel portals with credential-phishing and malware delivery against front-desk staff.

What Organizations Should Do

Assume any hospitality partner account can be abused to reach guests; audit partner extranet access, enforce phishing-resistant MFA, and monitor for anomalous logins from new geographies or ASNs.
Hunt for automated data-scraping behaviour on partner portals: high-volume reservation reads, API abuse, and headless browser fingerprints associated with Storm-1865 tooling.
Reset reservation PINs, session tokens, and partner credentials; invalidate persistent sessions on any system touching guest reservation data.
Warn customers explicitly that Booking.com and partner hotels will never request payment through WhatsApp, SMS, or off-platform links, and route all payment changes through the official app.
Deploy email and messaging controls tuned for reservation-themed lures, including impersonation detection on hotel brand names and booking-reference patterns.
Coordinate with payment processors and card networks to flag anomalous "top-up" or "verification" charges tied to recent Booking.com reservations.

Sources: Booking.com Data Breach Exposes Customer Information, Fuels Scam Concerns | IBTimes UK