Booking.com has confirmed that third parties gained access to customers' personal data — names, email addresses, phone numbers, and booking details. This became known from notifications that the service began sending to affected users over the past week.
What exactly leaked — and what didn't
According to TechCrunch, in the letters the company states that compromised information may include "booking details, names, emails, phone numbers, as well as anything you transmitted directly to the accommodation facility." Physical addresses were excluded from Booking.com's final statement — a company representative clarified to TechCrunch that they were not obtained by criminals. Payment data and passwords were also not affected.
It might seem like a limited set. But that's where the main trap lies.
Why "incomplete" leaks are more dangerous than complete ones
One affected user told TechCrunch that two weeks before the official notification, he received a phishing request on WhatsApp — and the message contained exact details of his booking. The scammer knew the date, hotel, and amount. He knew enough to appear legitimate.
"Even when payment data isn't stolen, such a leak remains a serious threat to travelers. The current danger is a second wave of fraud."
Adrianus Warmenhoven, NordVPN cybersecurity expert, for Travel Weekly
This is a classic scheme: criminals don't try to immediately breach a bank account. They build trust through context — and ask for the card already "in conversation," where the victim suspects no danger. Booking.com warned in its letter that the company never requests a card number via email, phone, SMS, or WhatsApp.
What is known about the scale and source
Booking.com services over 28 million accommodation properties worldwide and is one of the largest travel aggregators. However, the company has not disclosed the exact number of affected users. As Security Affairs notes, it remains unclear even whether Booking.com's own systems were compromised or whether the attack occurred through third parties — for example, through hotels or platform partners.
The company assured that it "immediately took measures to localize the incident" and is notifying only those customers whose data was potentially affected.
What to do right now
- Ignore any messages on WhatsApp or SMS from "Booking.com" asking you to confirm payment or enter your card.
- Verify all requests exclusively through the official app or website — without clicking links from emails.
- Be especially careful if someone in correspondence knows exact details of your booking: this doesn't prove legitimacy.
If Booking.com does not disclose the number of affected users by the end of the investigation, personal data protection regulators — in particular the Irish DPC, under whose jurisdiction the company falls in the EU — have every reason to demand explanations: under GDPR, the deadline for notifying a regulator is 72 hours from the moment of detecting the breach.
