Data Breaches

Booking.com Data Breach Exposes Millions as WhatsApp Scammers Strike

4 Min Read / April 16, 2026

Booking.com confirmed Monday that hackers accessed customer reservation data in a breach. The travel platform notified affected users via email from noreply@booking.com over the weekend, confirming that unauthorised third parties had gained access to names, email addresses, phone numbers and reservation details. No payment information was compromised but customers are already reporting targeted phishing attempts using their stolen booking data.

The breach follows a pattern that should concern anyone who books travel online. Attackers now have enough personal detail to craft highly targeted phishing messages and early evidence suggests they are already doing exactly that.

Scammers Are Already Using the Stolen Data

Multiple Booking.com customers are reporting suspicious WhatsApp messages and phone calls that include accurate booking details. According to Help Net Security, some users have complained about scam attempts via WhatsApp which leveraged personal details, booking references, dates and the name of the hotel. ABC News Australia reported that Steve Atkin from Port Macquarie, New South Wales, lost $100 after a fraudster impersonating a Booking.com customer service agent called him following a Bali accommodation booking.

This rapid exploitation is not coincidence. Travel platforms have become a favourite target for criminals because reservation data makes phishing attempts far more convincing. When a scammer calls with your hotel name, booking reference and travel dates, most people assume the call is legitimate.

The Company Is Not Saying How Attackers Got In

Booking.com has provided minimal technical detail about the compromise. In a statement to BleepingComputer, the company’s communications lead Sage Hunter said they “recently noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information”, but gave no indication of the attack vector or timeline.

That vagueness matters because Booking.com has a history of partner network compromises rather than direct attacks on its own systems. The Register notes that in 2021, Dutch regulators fined the company €475,000 after a breach exposed the personal data of more than 4,000 customers following a compromise of hotel staff logins. The lack of detail makes it impossible to determine whether this latest incident follows the same pattern.

PIN Resets Are Not Enough Protection

Booking.com has reset PIN codes for affected reservations and claims to have “taken action to contain the issue”. This is the digital equivalent of changing locks after a burglary. It might prevent repeat access but the stolen data is already in criminal hands and being actively used for phishing.

The company’s response also raises questions about detection capability. If Booking.com only “recently noticed” the suspicious activity, as their statement claims, how long were attackers inside their systems before being discovered?

What Customers Should Do Now

If you have active bookings through Booking.com, treat any unexpected contact about those reservations as suspect. Go directly to the official website or app rather than clicking links in messages. Verify any changes to your booking by calling the hotel directly using contact details you find independently, not numbers provided in suspicious messages.

Enable two-factor authentication on your Booking.com account immediately. Check your current reservations for any unauthorised changes to guest details or contact information which could signal that someone has gained access to your account.

Most importantly, never provide payment information or personal details in response to unsolicited contact, regardless of how much accurate booking information the caller claims to have. The fact they know your reservation details proves nothing about their legitimacy.