A major data breach at Booking.com has triggered a new wave of sophisticated scams targeting travelers worldwide, with cybercriminals now armed with precise customer information to execute convincing frauds.
Hackers have stolen sensitive customer data from the travel platform, including names, email addresses, phone numbers, and detailed booking information. This stolen data is enabling criminals to carry out what security experts are calling "reservation hijacking"—a scam where fraudsters pose as hotels or Booking.com representatives to trick travelers into sending money for bogus reservation issues.
"Reservation hijack scams have been around for some time, but this new data makes them much more dangerous because it gives criminals precision," said Luis Corrons, security evangelist at Norton. "They can reference the real property, the real travel dates, and the right contact details to make the scam feel like routine customer service."
Booking.com has confirmed the breach and says it has taken immediate action, including updating reservation PINs and warning affected customers via email. However, the company has declined to disclose how many customers have been impacted or which regions are most affected.
The platform emphasized that financial information was not accessed in this breach, but security experts warn that the stolen personal data alone provides scammers with everything they need to execute convincing phishing attacks.
A Shift in Attack Strategy
This incident represents a significant escalation in how criminals target Booking.com customers. Previously, scammers typically hacked individual hotel accounts to access booking information. Now, with direct access to customer data from the platform itself, fraudsters can bypass hotels entirely and contact travelers directly with highly personalized, convincing messages.
Darren Guccione, CEO of Keeper Security, noted the concerning speed of this transition: "When a breach at a platform the scale of Booking.com moves from data exfiltration to active phishing campaigns within days, it signals something more deliberate than opportunistic."
Booking.com's Response and Customer Guidance
The travel giant has issued specific guidance to customers, stating that legitimate Booking.com communications will never request credit card details via email, phone, WhatsApp, or text messages. The company also warns customers to be suspicious of any requests for bank transfers that differ from the payment details in their original booking confirmation.
Despite these warnings, the breach highlights ongoing security challenges for the hospitality industry. Booking.com has acknowledged implementing new safety features but cautioned that there is "no silver bullet" for completely eliminating such threats.
Customers who have received suspicious messages are urged to verify any communication directly through the official Booking.com platform and report potential scams immediately.