Booking.com confirmed on Monday that hackers may have accessed personal customer data, including names, email addresses, phone numbers and booking details. The global travel and hotel booking giant notified customers last week of the breach, according to several online posts.
“We are writing to inform you that unauthorized third parties may have accessed certain booking information related to your booking,” the notice to customers reads, according to post by a Reddit user. Several other Reddit users who responded to the post said they received the same notification. The message from the company included the aforementioned types of data breached, as well as “anything you may have shared with the property.”
The user who posted the alert on Reddit told TechCrunch that he received a phishing message via WhatsApp two weeks ago that included “booking details and personal information.” This suggests that hackers are leveraging the stolen information to target Booking.com customers.
Booking.com spokeswoman Courtney Camp told TechCrunch that the company “noticed some suspicious activity involving unauthorized third parties who were able to access some of our guests’ reservation information. Once we discovered the activity, we took steps to mitigate the issue. We updated the PIN number for these reservations and notified our guests.”
The spokesperson declined to answer TechCrunch’s specific questions, including how many customers were affected by this incident and subsequently notified.
The company he told the Guardian that “financial information was not accessed”.
In 2024, TechCrunch reported that hackers had infected the computers of several hotels with consumer-grade spyware, or stalkerware. In one case, a victim logged into the Booking.com management portal when the pcTattletale stalkerware took a screenshot of their screen.
Techcrunch event
San Francisco, California
|
13-15 October 2026
According to company website6.8 billion customers have booked hotel rooms and homes since 2010.
Updated with comment from Booking.com representative to note that physical addresses were not taken in the breach.
