Booking.com Acknowledges Unauthorized Access to Guest Reservation Data
Booking.com has officially confirmed a security breach in which hackers gained access to booking information associated with user reservations. The company disclosed the incident in a statement provided to BleepingComputer, noting it took immediate containment measures, forced PIN resets on both existing and past reservations, and notified affected users directly via email.
As one of the largest online travel platforms in the world, Booking.com facilitates bookings for accommodation, flights, car rentals, airport taxis, and travel experiences, acting as an intermediary between travelers and hospitality providers. The platform lists millions of properties globally and processes hundreds of millions of bookings each year, making any security incident potentially wide-reaching.
What Data Was Exposed
Over the weekend preceding the April 13, 2026 disclosure, multiple users began reporting that they had received emails from the official noreply@booking.com address warning them of a cybersecurity incident that may have exposed their personal information to unauthorized parties. According to those notifications, the categories of compromised data included:
- Full names
- Email addresses
- Postal addresses
- Phone numbers
- Communications shared with property providers
Each notification also contained an updated PIN tied to the recipient's specific reservation number. The messages urged users to remain cautious of suspicious emails and phone calls, and reminded them that Booking.com will never request sensitive information or bank transfers from customers.
Official Statement From Booking.com
The company's communications lead, Sage Hunter, confirmed the breach through the following statement provided to BleepingComputer:
"At Booking.com, we are dedicated to the security and data protection of our guests. We recently noticed some suspicious activity involving unauthorized third parties being able to access some of our guests' booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests." — Sage Hunter, Booking.com
The company's notification to users also carried a similar message: "At Booking.com, we are dedicated to the security and data protection of our guests. In that spirit, we're writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation."
Scope Remains Unclear, But Individual Notifications Promised
When pressed for further details, Booking.com declined to specify the total number of users affected by the breach. However, the company assured BleepingComputer that every impacted individual would be notified directly. Booking.com also emphasized that customer support services are available in multiple languages on a 24/7 basis for those who have concerns.
User Confusion and In-App Notification Gap
One notable source of confusion among recipients was the absence of corresponding alerts within the Booking.com mobile application. Users who received breach notification emails did not see any matching warnings inside the app, leading some to question whether the emails were legitimate communications or phishing attempts. The discrepancy highlights a potential gap in the company's multi-channel notification strategy during security incidents.
Booking.com's own advisory recommended that users exercise caution even when receiving emails that appear to originate from a booked property or from Booking.com itself. The company specifically advised against clicking any links contained in such messages.
Possible Connection to Ongoing Scam Reports
Prior to the official confirmation, a number of users took to Reddit over the weekend to report being targeted by scammers who appeared to possess private reservation details — a red flag that suggested insider knowledge or unauthorized data access. However, it remains unclear whether these scam reports are directly connected to the breach that Booking.com subsequently disclosed. The possession of granular reservation data, such as property names, dates, and guest details, would enable highly convincing social engineering attacks, including phishing emails and vishing phone calls impersonating both properties and the platform itself.
A Pattern Worth Watching
This incident adds Booking.com to a growing list of travel and retail platforms that have recently faced data security challenges. The exposure of reservation-level data is particularly sensitive because it enables targeted fraud — attackers armed with booking details can craft persuasive messages that exploit the trust travelers place in familiar platforms. Users are strongly encouraged to verify any unexpected communications through official channels and to avoid acting on requests for payment or personal information received via email or phone.
Source: BleepingComputer