Booking.com reservation scam
- A recent Booking.com data breach has enabled reservation‑hijacking scam messages to reach customers. - Attackers send suspicious messages claiming to modify or confirm existing bookings, the report warns. - Travelers booking park lodging or gateway stays are advised to verify payment and reservation messages carefully. (insidehalton.com)
Booking.com customers are being hit with “reservation hijacking” scams after the company said hackers accessed some guests’ booking information. (bleepingcomputer.com) Booking.com said on April 13 that unauthorized third parties may have accessed reservation-linked data, then reset PINs for affected bookings and emailed impacted users directly. (bleepingcomputer.com) The exposed information includes names, email addresses, postal addresses, phone numbers, reservation dates, and messages exchanged with properties through the platform. Booking.com has not said how many customers were affected. (theregister.com) A reservation hijack works like a targeted phishing attack: a criminal uses real trip details to pose as a hotel or Booking.com and asks a traveler to “confirm” a card or pay through a new link. Security researchers say the stolen booking data makes those messages far more convincing. (bbc.co.uk) This tactic has been building for more than a year. Microsoft said in March 2025 that a campaign it tracks as Storm-1865 was impersonating Booking.com and targeting hospitality workers to steal credentials and open the door to fraud. (microsoft.com) Booking.com’s own partner guidance says hotel and property accounts are attractive targets because they hold guest names, addresses, card details, phone numbers, and reservation data. The company says it can disable links in guest messages if it detects suspicious activity in a property’s account. (booking.com) That history helps explain why travelers are being told to treat unexpected payment requests with caution, even when a message appears to reference a real booking. Booking.com told affected users to be wary of suspicious emails and phone calls and said it will not ask for sensitive information or bank transfers. (bleepingcomputer.com) For travelers with upcoming stays, the safest check is to open the Booking.com app or website directly and verify any change there, instead of tapping a link in a message. The Federal Trade Commission says people who paid a scammer should contact their card issuer, bank, wire service, or payment app right away to try to reverse the transaction. (consumer.ftc.gov) The scam lands hardest when the fake message arrives in the middle of a real trip plan. That is why a stolen reservation record can turn an ordinary booking confirmation into a believable demand for money. (bbc.co.uk)
