Booking.com: Millions of Customer Reservations Exposed in Storm-1865 Supply Chain Breach

Booking.com has confirmed that unauthorized third parties accessed the reservation details of millions of customers in a breach detected on April 13, 2026. The intrusion, attributed to a criminal group tracked as Storm-1865, targeted hotel partner accounts rather than the central platform, compromising names, emails, phone numbers, physical addresses, and booking details across more than 170 hospitality properties worldwide. Stolen data is already being weaponized in a global wave of reservation hijacking scams.

What Happened

On April 13, 2026, Booking.com detected suspicious activity affecting customer reservation data. Investigators traced the breach to a coordinated campaign against the platform's hotel partner network. Rather than attacking Booking.com's core infrastructure directly, the threat actor Storm-1865 deployed automated Python scripts to harvest reservation data from compromised partner accounts across at least 170 properties globally. Booking.com responded by forcibly resetting reservation PINs and issuing an urgent phishing warning to its 100 million active app users. The company has not disclosed the total number of affected customers.

What Was Taken

The compromised data includes the full context of customer travel reservations: names, email addresses, phone numbers, physical addresses, and detailed booking information including property names, dates, and reservation references. Booking.com states that financial data such as credit card numbers was not accessed. However, the combination of personal contact details with specific travel itineraries creates a uniquely exploitable dataset. Attackers do not need payment credentials when they possess enough contextual detail to impersonate hotels convincingly and redirect payments outside the platform.

The Attack Technique: Supply Chain Compromise via Hotel Partners

Storm-1865 executed a supply chain attack, bypassing Booking.com's central defenses entirely by compromising the weakest link in the ecosystem: individual hotel partner accounts. The group used automated Python-based tooling to scrape reservation data at scale from partner-facing portals once access was obtained. This approach is consistent with prior Storm-1865 tradecraft, which has historically focused on hospitality sector credential theft and social engineering. By targeting fragmented, independently managed hotel systems rather than a single hardened platform, the attackers maximized data yield while minimizing detection risk.

Why It Matters

This breach highlights a growing class of threat that traditional perimeter defenses do not address: contextual data exploitation. Passwords can be reset. Credit cards can be reissued. But a detailed travel itinerary with confirmed dates, property names, and personal contact information gives an attacker everything needed to construct a near-perfect phishing lure. Victims who receive a message referencing their exact hotel, check-in date, and booking reference have little reason to doubt its legitimacy.

The speed of weaponization is equally significant. Reports indicate that stolen booking details are already fueling scam messages via email, WhatsApp, and in-app messaging channels, with attackers impersonating hotel staff and requesting urgent payment verification. The time-sensitive nature of travel bookings creates an ideal pressure environment for social engineering. Defenders across the travel and hospitality sector should treat this as a pattern that will be replicated, not an isolated event.

Who Is Storm-1865

Storm-1865 is a financially motivated threat group that has repeatedly targeted the hospitality and travel industry. The group specializes in credential theft against hotel and travel platform partners, using stolen access to harvest guest data for downstream fraud operations. Their operational model relies on automation and scale rather than sophisticated exploits, making them a persistent threat to any platform with a distributed partner network. This latest campaign represents a significant escalation in both scope and impact.

What Organizations Should Do

Audit partner and third-party access. Any organization that grants external partners access to customer data should review access controls, enforce multi-factor authentication, and implement anomaly detection on partner-facing portals.
Monitor for contextual phishing campaigns. Security teams should alert customers and employees to phishing attempts that reference specific booking or transaction details, not just generic credential harvesting lures.
Implement rate limiting and behavioral analytics on data access. The use of automated scripts to bulk-harvest records should trigger detection. If a partner account is querying reservation data at machine speed, that is an indicator of compromise.
Warn customers directly and specifically. Generic breach notifications are insufficient when attackers are already using stolen data. Affected users need to know exactly what social engineering tactics to expect and through which channels.
Restrict reservation data visibility. Apply least-privilege principles to partner data access. Hotel partners rarely need bulk access to guest contact information. Segment what partners can see based on operational necessity.
Treat travel data as high-sensitivity PII. Organizations handling itinerary and booking data should classify it with the same rigor as financial information, given its proven value in targeted fraud operations.

Sources: Booking.com Data Breach Exposes Customer Information, Fuels Scam Concerns | IBTimes UK