Booking.com has contacted affected customers after spotting suspicious activity affecting a number of reservations on its platform. In an email sent to users, the company wrote, “At Booking.com, we are dedicated to the security and data protection of our guests.
“In that spirit, we’re writing to inform you that unauthorised third parties may have been able to access certain booking information associated with your past or upcoming reservation(s) listed below.”
The company explained what may have been exposed, saying, “Based on the findings of our investigation to date, accessed information could include booking details and name(s), email address(es) and phone number(s) associated with the booking and anything that you may have shared with the accommodation.”
Booking.com also addressed payment concerns in the same email. It said, “We would like to confirm that your financial information was not accessed from Booking.com’s systems.”
Customers may feel reassured by that update, but exposed booking details can still be valuable to scammers. Hotel names, travel dates and guest contact details can help fraudsters create convincing emails or phone calls.
Booking.com also told customers, “To keep your booking(s) secure, we have updated the PIN number(s) of your booking reservation(s).”
Why Are Travel Bookings Useful To Scammers?
You’d be surprised at the amount of personal information travel bookings actually have.
A single reservation can contain names, travel dates, accommodation details, phone numbers, email addresses and private requests shared with a hotel or host. This makes travel platforms attractive to cybercriminals.
Microsoft said it identified a phishing campaign impersonating Booking.com during a busy travel period. The company wrote, “Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organisations in the hospitality industry.”
The campaign did not end after the holiday rush. Microsoft added, “As of February 2025, this campaign is ongoing.”
Microsoft tracks the activity under one name. The company explained, “Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges.”
The fake emails looked pretty convincing because they copied normal business requests. Microsoft said, “The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.”
What Is Booking.com Doing About It?
Booking.com says cybercrime is a constant issue for travel platforms and accommodation partners.
On its Partner Hub, the company said, “In 2024, we blocked more than three million fraudulent accounts from creating reservations on our platform.”
This gives a sense of how often criminals attempt to misuse travel services.
Marnie Wilking, VP Chief Security Officer at Booking.com, explained how the company views these attacks. She said, “How do we reduce the success rate of those attacks? How do we reduce the impact? And how can we educate partners on what the attacks mean and how they can protect themselves?”
Booking.com also said it has made security systems a lot more strict. In its cybersecurity guide, the company wrote, “We’ve activated new messaging security safeguards such as allowlist implementation and bespoke machine learning models to detect and delete malicious links being sent via our messaging platform.”
The company added that inactive accounts are locked and later disabled to help prevent unauthorised access through old logins.
How Can Travellers Stay Safe?
The biggest risk after a breach is often what scammers do with exposed information.
Cybercriminals can use booking details to send emails that seem legit, texts or phone calls pretending to be a booking platform or accommodation provider.
Booking.com warned customers, “If you have received suspicious emails or phone calls, these could be from malicious actors pretending to represent the accommodation or Booking.com.”
It also reminded customers what it will never ask them to do. The company wrote, “We’ll never ask you to share credit card details by email, over the phone, through text or Whatsapp.”
Booking.com also added, “We’ll never ask you to make a bank transfer that is different from the payment policy details in your booking confirmation.”
Microsoft gave safety advice and told users, “Check the sender’s email address to ensure it’s legitimate.”
It also warned users to think before clicking anything unexpected, writing, “Before clicking a link, ensure the full URL is legitimate.”
Tiago de Almeida, Director Cybersecurity at Booking.com, gave clear advice for anyone worried their account may have been accessed. He said, “If you are – or suspect you are – a victim of a digital security attack on your Booking.com account, report it immediately. When in doubt, leave the phone call, browser or application.”
Experts Share Their Protection Tips
Our Experts:
- Adrianus Warmenhoven, Cybersecurity Expert, NordVPN
- Neema Wasira-Johnson, Asili Advisory Group
- André Ribeiro, Founder, Andre On Digital
- Adam Govier, Founder, Exploitr
- Oliver Browne, Founder, True Summit Adventures
Adrianus Warmenhoven, Cybersecurity Expert, NordVPN
“This type of breach is particularly dangerous not because of financial data, but because of context. When attackers gain access to booking details, such as names, travel dates, accommodation information, they can craft highly convincing, personalised scams that are much harder to detect.”
“Imagine receiving a message that references your exact stay, dates, and property – it immediately feels legitimate. This is exactly what cybercriminals rely on. We expect to see a spike in phishing emails, fake payment requests, and ‘verification’ messages targeting affected users.”
“Travel-related data is especially sensitive because it introduces a time element. Scammers know exactly when you’re due to travel, which makes their messages feel urgent and legitimate – whether it’s a ‘problem with your booking’ or a ‘last-minute payment request.’”
“If you’ve recently booked travel, be extremely wary of any unexpected communication asking for payments, verification, or personal details – even if it appears to come from a trusted source. Always verify directly through official platforms, not links or phone numbers provided in messages.”
“Key tips for travellers:
– Avoid clicking on links in unexpected emails or messages about bookings
– Never share payment details via email, SMS, or messaging apps
– Verify requests by logging into official platforms directly
– Watch for urgency tactics or last-minute “issues” with reservations
– With travel season approaching, this incident highlights how cybercriminals are shifting toward more sophisticated, data-driven scams.”
Neema Wasira-Johnson, Asili Advisory Group
“Human risk management is often overlooked, but it’s one of the biggest opportunities organisations have right now.
“Scams like this work because they don’t look like scams. They look like normal communication. And when real booking data is involved, it becomes even harder for travelers to tell the difference.
“That’s why this isn’t just a cybersecurity issue. It’s a communication and trust issue.
“Organisations need to be much clearer about how they will and will not contact customers. And they need to actively guide customers on how to verify requests before taking action.
“For travelers, the safest move is simple: don’t respond to inbound requests for payment or personal details. Go directly to the app, the website, or a verified contact.
“Trust is part of the travel experience. And right now, that trust is being tested.”
André Ribeiro, Founder, Andre On Digital
“One of the biggest risks with scams like this is how convincing they feel in the moment. When a message appears to come from a trusted platform like Booking.com, many travelers react quickly without stopping to question it.
“The safest approach is to slow down before taking any action. Legitimate platforms rarely ask for sensitive information through messages, especially requests involving payments or personal data. If something feels urgent or slightly off, that’s usually the first warning sign.
“A simple habit that can prevent most of these situations is to avoid interacting directly through links or messages. Instead, open the official app or website and check if there are any real notifications there. If there aren’t, it’s likely a scam.
“TraveLlers should also be especially cautious when using public Wi-Fi networks, where data can be more exposed. Using secure connections and avoiding entering sensitive information on unknown networks adds an extra layer of protection.
“Looking ahead, this type of scam shows how travel is becoming more digital, but also more vulnerable. As platforms evolve, so do the tactics used by scammers.
“In practice, staying safe comes down to awareness and small habits – taking a moment to verify, using trusted connections, and not reacting under pressure.”
Adam Govier, Founder, Exploitr
“What attackers are doing is to use the latest available leaked information as a basis for targeting individuals in social engineering attacks.
“Dataleaks don’t always include usernames, emails, and passwords. Leaks involving personally identifiable and contact information opens the door to social engineering attack vectors like phishing.
“Leaked information, such as the hotel name, duration, check-in time, and even booking ID can be used as a pretext that can give phishing messages credibility.
“Individuals may start receiving phishing emails, text or WhatsApp messages, or possibly even phone calls from someone purporting to be from the airline or the booking platform.
“The scammers present themselves as an agent of the platform, sending genuine-looking links to a third-party website that can look identical to the Booking.com website. Unsuspecting victims of this attack may enter their login details, personal information, or even financial payment details, which could then be harvested by the scammers.
“Anyone receiving these messages should review the links thoroughly and not submit any personal or payment information through them. If you need to review or manage a booking, use the mobile app or visit the website directly.
“If you’re prompted to call a phone number, disregard what the message says and contact the number that’s presented on the actual website – the same way that you’d contact your bank.
“Change your password for the booking platform if you’ve not already done so. For anyone that may have fallen victim to one of these attacks, reset and change your password on the website – if you use this password anywhere else (email, social media, etc.) then also reset your password there too.”
Oliver Browne, Founder, True Summit Adventures
“Certain travel trends – frequency, time from booking to travel and the rise of the aggregators have definitely made booking faster, cheaper and more efficient, but has also opened the door to fraud. The problem is not just limited to booking.com and highlights a broader issue in travel booking and payments.
“Simple practices like – never leave the booking platform or send personal / payment details off platform, use your credit card (payments are insured plus you get points!) always verify requests and be suspicious of urgencies can eliminate most issues for consumers. But more broadly, people should consider booking through a trusted (or better still – fully regulated) intermediary or operator.”
