Last weekend thousands of users received an email from noreply@booking.comlike this one found on Reddit, within which there was a communication regarding possible third-party access to their reservation data, not a generic notice, but a message with the details of the individual reservation. Mistaken, at least initially, for a possible phishing attempt, the message turned out to be truthful and Booking.com confirmed the incident on April 13, 2026: these are the words of Sage Hunter, spokesperson for the company, reported by BleepingComputer:
At Booking.com, we are committed to the security and protection of our guests’ data. We recently noticed some suspicious activity involving unauthorized third parties able to access some of our guests’ booking information. Once we discovered the activity, we took steps to contain the problem. We have updated the PIN code for these bookings and informed our guests.
What was taken
The data exposed includes names, email addresses, telephone numbers, physical addresses and communications exchanged by users with hotel facilities through the platform. Booking.com has specified that no financial and/or payment data has been compromised, and that user accounts have not been compromised.
The number of people affected has not yet been disclosed, and the company has assured that all affected users will receive an individual notification.
The real risk: phishing
The theft of booking data opens up decidedly insidious scenarios, even without access to credit cards, because if the name, structure and dates of stay of a user are known, it is possible to set up fraudulent messages that are difficult to distinguish from legitimate communications. It is not a theoretical case, as several users have already reported contact attempts by individuals posing as Booking.com representatives, in possession of the real details on the booking. The platform reminded us that it never asks for payment details via email, telephone, WhatsApp or SMS, nor for bank transfers other than those indicated in the booking confirmation.
It’s not the first time
In 2011, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) had fined Booking.com €475,000 after a breach that exposed the data of more than 4,000 customers, including the credit card details of nearly 300 people. The breach dated back to December 2018, even though the company notified the regulator 22 days later than the 72-hour window required by the GDPR.
