Booking.com logo on website showing data breach

Data Breach at Booking.com Exposes Customer Information

Booking.com is notifying users of a data breach that exposed their personal information after threat actors accessed “certain booking information.”

The Amsterdam, Netherlands-based booking platform has served over 6.8 billion customers since 2010, according to a statement on its website. Acting as an intermediary during the booking process, the company lists over 30 million properties and employs over 24,000 people worldwide.

Booking.com learned of the data breach after detecting suspicious activity on some reservations. It responded by launching an investigation that confirmed unauthorized access.

Booking.com data breach leaks customer information

Booking.com says the data breach exposed guests’ personal information, including full names, email addresses, phone numbers, postal addresses, and “any other information” exchanged with property managers. It also impacted users across multiple countries, including Australia, and compromised both current and past bookings.

However, the data breach did not expose any financial information provided during the reservation process, which could have severe implications for both the company and customers.

“This type of breach is particularly dangerous not because of financial data, but because of context,” warned Adrianus Warmenhoven, a cybersecurity expert at NordVPN. “When attackers gain access to booking details, such as names, travel dates, [and] accommodation information, they can craft highly convincing, personalised scams that are much harder to detect.”

Upon learning of the data breach, Booking.com updated reservation PINs and advised affected customers to watch for unsolicited messages to avoid falling victim to targeted phishing attacks.

“Imagine receiving a message that references your exact stay, dates, and property – it immediately feels legitimate. This is exactly what cybercriminals rely on. We expect to see a spike in phishing emails, fake payment requests, and ‘verification’ messages targeting affected users,” added Warmenhoven.

The booking platform also reminded users that it would never request sensitive information via phone or email. It also discouraged affected users from clicking on suspicious links or downloading attachments in emails purporting to originate from property managers or the booking platform.

Meanwhile, Booking.com has not disclosed the number of customers impacted by the data breach or the threat actor’s identity. The attack vector exploited also remains undisclosed.

However, some users claim they have received phishing messages from potential fraudsters with private booking information potentially stolen from the booking platform.

Cybercriminals continue to target the hospitality industry

The hospitality industry remains a lucrative target due to the vast amounts of data it collects and stores, including that of wealthy individuals.

Between 2014 and 2024, Marriott International experienced multiple cybersecurity incidents that exposed the personal information of over 334 million people, resulting in a $52 million FTC settlement.

In 2024, spyware on Wyndham Hotel’s systems exposed personal information of Booking.com’s customers when an employee logged onto the booking platform’s administration portal.

In 2018, attackers also stole the personal information of 4,000 people from Booking.com after compromising the login credentials of hotel employees in the United Arab Emirates. Dutch regulators fined the company over $600,000 for failing to report the cyber incident on time.

Between June 2023 and September 2024, fraudsters also used phishing attacks on accommodation providers to steal the personal information of Booking.com’s customers and demand advance payment, resulting in losses of over $500,000 in the United Kingdom. Scammers also stole over $31 million from Booking.com’s Australian customers in 2025.