Travel giant Booking.com has confirmed a data breach that is fueling a surge of "reservation hijack" scams against its customers, according to reporting by the BBC on 15 April 2026. Criminals accessed customer names, email addresses, phone numbers, and booking details, and are now impersonating hotels to trick travelers into wiring money. The Dutch company, which has processed nearly seven billion check-ins since 2010, is refusing to disclose how many customers or which regions were affected.

What Happened

Booking.com detected "suspicious activity" affecting a number of reservations and moved to contain the issue, according to notification emails seen by the BBC. The company has updated PINs on affected reservations and is emailing impacted customers to warn of heightened phishing risk. Some customers have already told the BBC they have started receiving suspicious messages referencing their real trips. Booking.com has declined to publish a victim count or geographic breakdown, leaving the scope of exposure unclear.

What Was Taken

The attackers obtained a high-utility set of customer records: full names, email addresses, phone numbers, and details of past and present bookings, including properties and travel dates. Booking.com states that payment card and other financial data stored in its own systems was not accessed. While the stolen records are not themselves financial, security researchers warn the combination of personal contact details plus accurate, verifiable trip context is precisely the data fraudsters need to run convincing impersonation scams at scale.

Why It Matters

Reservation hijack scams have existed for years, but historically they relied on compromising individual hotel accounts to harvest guest lists one property at a time. A platform-level data breach short-circuits that workflow and hands attackers pre-validated targeting information across the entire customer base. "This new data makes them much more dangerous because it gives criminals precision," Norton security evangelist Luis Corrons told the BBC, noting that scammers can now cite the real property, real travel dates, and correct contact details. For a platform that has previously been criticized by customers who said they were "failed" after losing money to similar scams, the reputational stakes are significant.

The Attack Technique

Booking.com has not disclosed the initial access vector, dwell time, or whether the data was exfiltrated from its own infrastructure or via a connected partner. Previous waves of reservation hijack fraud abused credential compromise at individual hotel partners, allowing criminals to log into legitimate Booking.com extranet accounts and send phishing messages through trusted in-platform channels. It is not yet confirmed whether this incident stems from a central systems intrusion, a third-party supplier compromise, or aggregated partner account takeovers. The follow-on fraud flow is consistent across reports: victims receive emails, SMS, or WhatsApp messages impersonating their hotel, citing a payment or verification problem with their real booking, and are pressured into bank transfers or entering card details on lookalike sites.

Indicators and Red Flags

Customers and fraud teams should treat the following as high-risk signals: unsolicited messages claiming a payment issue with an existing reservation, requests to "reconfirm" card details by email, phone, SMS, or WhatsApp, links to payment pages outside the Booking.com domain, and instructions to send a bank transfer different from the payment policy shown in the original confirmation. Urgency cues ("booking will be cancelled in 24 hours") and references to the correct hotel, dates, and reservation number should not be treated as proof of legitimacy given the breached dataset.

What Organizations Should Do

Sources: Booking.com customers warned of 'reservation hijack' scams after data breach - BBC News