Booking.com is currently informing numerous customers by email about a data breach. Unknown third parties were apparently able to access booking information – including names, email addresses, telephone numbers and details from the message field between guest and accommodation. As an initial countermeasure, the travel provider has changed the PINs of all affected bookings. According to the company, payment data has not been leaked.
What happened during the Booking.com data breach?
In the notification email, Booking.com refers to “suspicious activity” in which unauthorized third parties gained access to certain reservation information. As soon as the problem was discovered, the company reacted immediately and contained the situation, the company said in an official statement. The Group has not yet provided any specific figures on the number of bookings affected or the exact cause – which is striking, as the GDPR actually requires transparent information on such incidents.
According to a statement made by a Booking spokesperson to several media outlets, no physical addresses were leaked after a renewed check, even if this was initially presented differently in the first emails. According to the statement, only email addresses, telephone numbers and booking data were accessed. Financial or payment information was not affected.
What data was leaked?
| Data category | Affected? |
|---|---|
| Name | Yes |
| E-mail address | Yes |
| Telephone number | Yes |
| Booking details (hotel, period, booking number) | Yes |
| Messages to the accommodation | Yes |
| Postal address | No (according to update) |
| Credit card/payment details | No |
PIN codes of the bookings have been reset
As a security measure, Booking.com has changed the PIN codes of all affected reservations. These PINs serve as a security anchor for changes to the booking and access to the reservation in the customer account. Customers will find the respective booking number together with the new PIN in the email – this will still allow access to the reservation.
However, many of those affected report in forums and blog comments that they received suspicious messages weeks before the official notification: typically via WhatsApp from Indian numbers, with the correct name, real booking number and a request to re-enter data due to an alleged payment problem. The quality of the fakes is apparently high enough for even experienced users to fall for them.
This is the real danger: targeted phishing
Even if no credit card details have been leaked, the mishap should not be underestimated. Real booking data, correct names and telephone numbers can be used to create extremely credible phishing messages. Attackers know the hotel, the travel period and often even personal comments from the message field – no wonder that many users can no longer distinguish this from a genuine message from the accommodation.
Typical scams that are currently circulating:
- WhatsApp or SMS messages with a request to “reconfirm payment”
- Emails with links to deceptively genuine booking pages
- Calls in which callers pretend to be hotel or booking employees
- Requests for bank transfers to different accounts
Booking.com expressly emphasizes: The company never asks for credit card details by email, telephone, SMS or WhatsApp – and also does not request bank transfers that differ from the payment methods stated in the booking confirmation. Anyone who receives such messages or calls should first contact the official booking support and not click on any links.
Is the cause at the hotel?
Booking.com itself has repeatedly pointed out in the past that it was not its own system that was compromised, but the connected accommodation. The pattern is familiar: Hoteliers are tricked into handing over their extranet access via phishing, attackers then take over communication with guests and send fake payment requests via the official Booking messaging system.
At the same time, Booking also explains in the current communication that guests have been informed directly – including a PIN reset. This sounds like a systemic problem that can no longer be explained by individual hacked hotels. As previous incidents have shown, the extent is often greater than the companies initially admit – we reported on a data leak at many popular online platforms, for example, where hundreds of thousands of customer data were also openly accessible.
What should you do now?
- Check your mail: Check whether you have received an official notification from Booking.com. Use your mailbox directly – not via links in suspicious messages.
- Make a note of your new PIN: The PIN stated in the email is valid immediately and is required for changes to the booking.
- Do not click on any links from unexpected messages – neither from WhatsApp, text messages nor emails. If in doubt, always log in directly via the booking app or the official website.
- Check the payment method: Only make outstanding payments to the accounts specified in the original booking confirmation.
- If fraud is suspected: Have the card blocked, report it to the police, inform the hotel and Booking support.
Conclusion: The Booking.com data breach is primarily a phishing problem
At first glance, the Booking.com data breach seems straightforward – no credit card details, access to the account is still possible, new PINs have already been distributed. However, the real risk lies in the leaked information itself: Real booking details can be used to build impressively credible fraud attempts. Anyone who has currently booked via Booking or has recently traveled should treat any communication outside of the official app with healthy skepticism. Clearer information from Booking.com – especially on the cause and the number of people affected – would be desirable and actually mandatory under the GDPR.
