Booking.com Hackers Got Your Name, Address, and Every Message You Sent Your Hotel

What Data Was Exposed

According to Booking.com's notifications to affected users, the compromised data includes:

• Personal information: full names, email addresses, postal addresses, and phone numbers
• Reservation details: booking dates, hotel names, and confirmation numbers
• Private communications: messages exchanged between guests and accommodation providers through the platform

Booking.com stated that financial data, including payment card details, was not accessed. Customer account passwords also appear to be unaffected. However, the exposure of private messages between guests and hotels is unusually invasive. Those conversations often contain arrival times, passport numbers shared for check in, special requests revealing medical conditions, and other details travelers share assuming they are private.

The Phishing Risk Is Already Real

Booking.com warned affected users to watch for phishing attempts, and with good reason. In the days following the breach, some users on Reddit reported receiving scam messages that referenced their specific booking details, including hotel names, dates, and reservation numbers. Whether these scams are directly connected to this breach is unconfirmed, but the pattern is familiar.

Armed with real reservation data, an attacker can send a message that looks exactly like a legitimate Booking.com communication. A scam email saying "Your reservation at [actual hotel name] on [actual date] requires payment verification" is far more convincing than generic phishing. The victim has no easy way to distinguish the real message from the fake one because both reference the same private details.

Not the First Time

This is not Booking.com's first security incident. In 2021, Dutch regulators fined the company €475,000 after a breach exposed personal data from over 4,000 customers. That incident involved compromised hotel staff login credentials, which attackers used to access reservation systems and contact guests directly with fraudulent payment requests.

The 2026 breach appears to be larger in scope, though Booking.com's refusal to disclose numbers makes direct comparison difficult. The pattern of attackers accessing customer communications through the platform's own systems raises questions about whether the lessons from 2021 were fully applied.

What You Should Do

If you have used Booking.com for any reservation, even in the past, take these precautions:

• Ignore messages asking for payment details. Booking.com will never ask you to provide payment information via email, chat message, or text. If you receive a request, go directly to the Booking.com app or website instead of clicking any link.
• Change your Booking.com password. Even though the company says accounts were not compromised, updating your password and enabling two factor authentication is a reasonable precaution.
• Review your past messages. Think about what you shared in hotel communications. If you sent passport numbers, ID photos, or medical information, monitor for signs of identity misuse.
• Watch for targeted phishing. Any email referencing specific hotel stays, dates, or booking details should be treated with suspicion. Verify directly through the app before responding.

The Transparency Problem

The most concerning aspect of this breach may not be the data that was stolen but the information Booking.com is withholding. The company has not explained how the attackers got in, how long they had access, or how many customers are affected. This lack of transparency makes it impossible for users to assess their own risk.

When companies like Hims & Hers lost health data through a customer service tool, the details eventually emerged through regulatory filings. Booking.com operates across dozens of countries, each with its own data protection authority. Regulatory pressure may eventually force disclosure, but by then the stolen data will have had weeks or months of head start.