Booking.com has confirmed a data breach in which unauthorized third parties accessed guest reservation information, fueling an ongoing wave of "reservation hijacking" scams that target travelers with fraudulent payment and verification requests. The Amsterdam-based platform, which connects travelers to more than 28 million accommodation listings worldwide, notified affected customers this week and reset reservation PIN numbers to contain the incident.

What Happened

Booking.com detected "suspicious activity" tied to unauthorized third-party access to guest booking records and moved to contain it by rotating reservation PIN numbers and notifying affected customers. The company disclosed the incident via email to impacted travelers and in a statement provided to multiple outlets, including The Guardian and Travel + Leisure. While Booking.com has not disclosed the total number of guests affected, the breach appears broad enough to prompt platform-wide customer warnings and is feeding a fraud campaign in which criminals impersonate hotels and request payment or verification details from travelers using stolen reservation context.

What Was Taken

According to the customer notification, compromised data may include booking details, guest names, email addresses, physical addresses, phone numbers associated with reservations, and any additional information travelers shared with the accommodation provider. Booking.com states that financial information was not accessed. The exposure of reservation metadata is particularly sensitive because it enables high-fidelity social engineering: attackers know exactly where and when a victim is traveling, which property they booked, and how to reach them.

Why It Matters

Reservation hijacking scams succeed because the attacker possesses information only a legitimate hotel or platform should have, collapsing the victim's ability to spot a fraud. Throughout 2025, Booking.com customers reported scammers requesting payment information to "verify" or "preauthorize" trips, then charging large amounts. This latest confirmed breach validates that the pipeline of stolen reservation data is still active and fueling monetized fraud. For defenders in hospitality, travel tech, and any sector reliant on third-party platforms, the incident underscores that downstream partner compromise can expose customer data without the primary brand being directly breached.

The Attack Technique

Booking.com has not publicly detailed the intrusion vector for this incident. However, the pattern is consistent with a long-running campaign against the hospitality sector in which attackers compromise hotel-side employee accounts on the Booking.com extranet, often through infostealer malware or phishing, then scrape guest reservation data. A comparable 2018 incident saw attackers phish hotel staff in the United Arab Emirates and access booking data for more than 4,000 customers, which led to a EUR 475,000 fine from the Dutch privacy regulator for late disclosure. The current wave of reservation hijacking scams has repeatedly been traced to compromised property-side credentials rather than a breach of Booking.com's core infrastructure.

What Organizations Should Do

1. Hospitality operators should enforce phishing-resistant MFA on all extranet and property management system accounts, and audit third-party platform logins for anomalous geography or device fingerprints.
2. Deploy endpoint protection capable of detecting infostealer malware on front-desk and reservations workstations, and monitor credential marketplaces for exposed hotel staff logins.
3. Train reservations and front-desk staff to recognize phishing lures that impersonate Booking.com, Expedia, and other OTAs, with simulated phishing exercises tied to realistic extranet-themed pretexts.
4. For corporate travel programs, establish an out-of-band verification channel so travelers can confirm any payment or verification request through a known-good number rather than links in email or chat.
5. Implement DMARC, SPF, and DKIM enforcement on domains used for guest communications, and flag or quarantine inbound messages that spoof travel brands.
6. Treat reservation metadata as sensitive PII in data classification policies, restrict bulk export of booking records, and alert on abnormal guest-data access patterns from property-side accounts.

Sources: Travelers Warned of Vacation Risk As Major Booking Site Suffers Data Breach - Newsweek