Booking.com has confirmed a data breach in which unauthorized third parties accessed guest reservation information, forcing the company to reset booking PIN codes for all affected reservations and notify impacted customers directly via email. The company detected suspicious activity over the weekend of April 12 and 13, 2026, contained the issue, and began notifying affected users. The total number of customers affected has not been disclosed.
What Was Exposed
According to Booking.com’s breach notification and statements to multiple outlets, the compromised data includes guest names, email addresses, phone numbers, and any communications shared with accommodation providers through the platform. The company confirmed to The Guardian that financial information was not accessed. Physical addresses were not taken, according to a correction issued by TechCrunch following initial reporting. Passwords were not referenced in the company’s disclosure.
“At Booking.com, we are dedicated to the security and data protection of our guests,” communications lead Sage Hunter said in a statement. “We recently noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”
Phishing Risk Is the Primary Threat
While no financial data was taken, the nature of the exposed information creates a meaningful phishing risk. Booking details including names, email addresses, phone numbers, and accommodation communications provide attackers with enough context to craft highly convincing follow-on phishing messages — ones that reference real trip details, specific hotels, and accurate dates. Several Reddit users reported receiving suspicious messages over the weekend that appeared to contain accurate private reservation data, suggesting some exploitation of the stolen information may have already begun before Booking.com’s public disclosure.
Booking.com has a documented history of its platform being exploited for this exact type of scam. In previous incidents, threat actors compromised hotel staff accounts and used the platform’s built-in messaging system to deliver payment scam messages directly to guests through what appeared to be legitimate Booking.com communications. The platform’s position as a trusted intermediary between guests and properties makes it a particularly effective vehicle for social engineering once real reservation data is in an attacker’s hands.
Attack Vector and Attribution
Booking.com has not disclosed how the attacker gained access to its reservation system. No attack vector or method has been confirmed. Security researchers at Hackmanac noted that a group calling itself Vect claimed breaches at both Booking.com and Airbnb, but those claims have not been independently verified and Airbnb had not issued any public statement at time of publication. Booking.com said its investigation is ongoing with the assistance of external specialists.
A Pattern of Targeting
This is not Booking.com’s first significant security incident. In 2021, Dutch data protection regulators fined the company €475,000 after a breach exposed personal data belonging to more than 4,000 customers, including credit card details in some cases. That incident involved attackers compromising hotel staff logins to gain access through the supply chain rather than breaching Booking.com directly. Whether the current incident follows a similar pattern has not been confirmed. The company’s scale — 6.8 billion guest arrivals booked since 2010 — makes it a persistent high-value target for attackers seeking reservation data for downstream fraud and social engineering campaigns.
Affected users are advised to treat any incoming communications referencing their reservation with caution, verify the legitimacy of any messages through Booking.com’s official website directly, and report suspicious activity to the platform’s customer support through known official channels. April 13 saw a notable cluster of European consumer breaches — Basic-Fit confirmed a separate incident the same day, exposing bank details and personal data of 1 million gym members across 6 countries. For guidance on what to do after a breach notification, see our data breach response guide.
