eCommerceNews Asia - Technology news for digital commerce decision-makers
Asia
Flux result d25c2701 0034 45e9 883a 9aeb9fa61d60
#
Data Protection
#
Endpoint Protection
#
MFA

Booking.com warns some customers of possible data exposure

Tue, 14th Apr 2026
Author image
By Mark Tarre, News Chief

Booking.com has warned some customers that unauthorised third parties may have accessed booking-related personal information linked to a subset of reservations.

In emails to affected users, the company said it had detected suspicious activity involving a number of bookings and had taken steps to contain it. The data that may have been accessed includes names, email addresses, phone numbers and reservation details.

Information shared directly with accommodation providers may also have been exposed. Booking.com has not said how many customers received the warning, when the activity occurred, or whether the access involved its own systems or third parties such as properties listed on the platform.

A spokesperson for Booking.com clarified that the company is dedicated to the security and data protection of its guests. "We recently identified suspicious activity involving unauthorised third parties accessing limited booking information," the company stated. "Upon discovering the activity, we took immediate steps to contain the issue, including updating reservation PINs and informing affected customers."

The company also explicitly confirmed that no financial information or physical addresses were accessed during the incident.

Data exposed

The notice suggests the incident involved booking information rather than financial records. It did not indicate that payment card details were accessed.

The exposed data may include reservation numbers, contact details and messages exchanged with properties through the platform. That could give criminals enough information to craft convincing follow-up messages about upcoming stays.

Security specialists have long warned that reservation data is valuable in phishing attacks because it allows fraudsters to send messages that appear relevant to a customer's travel plans. In the travel sector, scams often rely on knowledge of a booking, property name or reservation reference to make a request seem genuine.

Immediate steps

As part of its response, Booking.com reset the PINs associated with affected reservations. It told customers the updated PINs would help secure access to their booking information.

It gave little detail on any other technical measures taken after the suspicious activity was detected, saying only that it had acted immediately to secure affected bookings and was continuing to investigate.

Customers were also urged to be cautious about any communication appearing to come from Booking.com or accommodation providers. The company said it would not ask for credit card details by email, phone, text message or messaging apps.

Phishing concern

The warning reflects a wider problem in online travel, where attackers have increasingly targeted communications between guests and properties. With access to reservation data, criminals can impersonate a hotel or booking platform and ask for payment, verification or other sensitive information.

Booking.com told customers that legitimate payment requests should match the original terms of a reservation. It advised users not to make payments that differ from the confirmed booking policy and to avoid clicking suspicious links.

The platform reiterated that it will never request payment or card details via email, phone, WhatsApp or text.

Limited detail

So far, Booking.com has released only limited information about the incident. It has not disclosed the scale of the exposure, how the data may have been accessed, or whether law enforcement or regulators have been informed.

That leaves key questions about the source of the breach and the safeguards around booking communications. Online travel platforms process large volumes of personal data and booking records, making them attractive targets for attackers seeking information for fraud.

For customers, the main risk may come after the initial alert rather than at the moment of exposure. Fraudsters often use stolen booking details in later contact with travellers, posing as a property or intermediary and creating urgency around a payment problem or booking change.

Booking.com said it is still reviewing the incident and assessing the extent of the exposure. It told customers to stay alert for suspicious communications and report any unexpected changes to their reservations.

Related stories
Moloco launches performance CTV ads for app marketers
Apple launches business platform as Maps ads near rollout
Gr4vy launches toolkit for ChatGPT agentic payments
Temu joins anti-counterfeiting coalition to boost IP enforcement
OpenX expands News Australia deal for Tubi CTV ads

Top stories

OpenAI expands Codex with desktop & workflow tools
Testlio launches AI chatbot testing service amid scrutiny
Mastercard & Lobster.cash team up for AI agent payments
QBE Asia flags rising marine risks across shipping
Blackhawk launches digital wallet for unified stored value