Booking.com: Reservation Hijack Scams Surge After Confirmed Data Breach

Travel platform Booking.com has confirmed a data breach exposing customer reservation details, fueling a wave of "reservation hijacking" scams targeting travelers worldwide. The Dutch company, which has processed nearly seven billion check-ins since 2010, is notifying affected customers and rotating reservation PINs but has declined to disclose the scale or geographic scope of the incident.

What Happened

Booking.com detected suspicious activity tied to a number of customer reservations and moved to contain the issue, according to notification emails sent to affected customers and reviewed by the BBC. Criminals successfully accessed customer-facing reservation data, which is now being weaponized in highly targeted social engineering campaigns. Multiple customers have already reported receiving suspicious messages referencing accurate booking details. The company has refused to specify how many customers were impacted or in which regions, leaving the true blast radius unclear.

What Was Taken

The exposed data set includes customer names, email addresses, phone numbers, and details of past and present bookings, including property names and travel dates. Booking.com states that financial information was not accessed from its systems. While payment data remained protected, security researchers warn that the combination of contact details and verified booking metadata is uniquely valuable for fraud, allowing scammers to impersonate hotels with a level of precision that bypasses normal user skepticism.

Why It Matters

Reservation hijack scams are not new, but this breach dramatically lowers the barrier to successful fraud at scale. "This new data makes them much more dangerous because it gives criminals precision as they can reference the real property, the real travel dates, the right contact details to make the scam feel like routine customer service," said Luis Corrons, security evangelist at Norton. With Booking.com's massive global footprint, even a small percentage of affected users translates to a significant pool of high-conviction phishing targets, creating sustained downstream risk for the travel sector and consumers.

The Attack Technique

Booking.com has not publicly disclosed the initial access vector for this breach. Historically, reservation hijack campaigns against the platform have relied on compromising individual hotel partners, often via infostealer malware or phishing, to abuse the hotels' legitimate Booking.com extranet accounts and message guests through trusted channels. The BBC has documented this pattern repeatedly since March 2023. Whether this incident stems from a similar partner compromise or a direct intrusion into Booking.com infrastructure remains undisclosed. Either way, the resulting fraud playbook is consistent: criminals contact victims posing as the hotel, cite a "problem" with the booking, and pressure them into a bank transfer or card payment outside the platform.

What Organizations Should Do

Treat any payment request received outside the official Booking.com platform, including email, SMS, WhatsApp, or phone, as hostile by default and verify directly with the hotel via independently sourced contact details.
For hospitality partners, enforce phishing-resistant MFA on all Booking.com extranet accounts and audit recent logins, message activity, and PIN changes for anomalies.
Deploy endpoint detection capable of identifying infostealer families such as Vidar, RedLine, and Lumma, which have repeatedly been used to harvest hotel staff credentials in prior campaigns.
Issue proactive customer communications reminding travelers that legitimate operators will never request credit card details by email or chat, and never request bank transfers that deviate from the original booking confirmation.
Monitor for typosquatted domains impersonating Booking.com or specific properties, and submit takedowns rapidly through registrar and hosting abuse channels.
Update internal fraud detection rules to flag inbound customer service inquiries referencing accurate booking metadata, as these may indicate downstream victims of the hijack scam.

Sources: Booking.com customers warned of 'reservation hijack' scams after data breach