Data breaches at Basic‑Fit & Booking.com

Two consumer platforms used by millions of Europeans disclosed data breaches on April 13, with Basic-Fit saying about 1 million gym members were affected and Booking.com confirming hackers accessed customer reservation data. (kfgo.com) (techcrunch.com) Basic-Fit said the breach exposed names, birth dates, contact information and bank account details, and that about 200,000 of the affected members were in the Netherlands. The company said its monitoring systems detected the unauthorized access and stopped it within minutes. (yahoo.com) Booking.com said hackers may have accessed names, email addresses, phone numbers and booking details tied to some reservations. The company did not disclose how many customers were affected, but said it had contacted impacted users in recent days. (techcrunch.com) (bleepingcomputer.com) The two incidents landed in the same week at companies that sit between consumers and recurring payments or travel plans. That combination gives criminals enough personal detail to build convincing phishing messages, even when passwords or identity documents were not exposed. (yahoo.com) (pcmag.com) Basic-Fit is one of Europe’s biggest gym operators, with 4.82 million memberships at owned clubs at the end of 2025, up from 4.25 million a year earlier. The company said the breach hit active members in several countries, not just the Netherlands. (corporate.basic-fit.com) (channelnewsasia.com) Booking.com has spent the past two years warning about scams that start with compromised hotel or partner accounts and end with fake payment requests sent to travelers. Security researchers and industry reports have described attacks in which criminals use stolen hotel credentials to message guests through legitimate Booking.com channels. (kaspersky.com) (infosecurity-magazine.com) In this case, Booking.com said payment card data was not accessed, according to reports citing the company’s customer notices. Even so, reservation details can make a scam look real because they can include the hotel name, stay dates and contact information. (skift.com) (techcrunch.com) Basic-Fit said it does not store members’ identification documents and that no passwords were accessed. The company told affected members that the main immediate risk was phishing, not account takeover through a stolen login. (yahoo.com) Both companies are now in the familiar post-breach phase: notify users, investigate what was taken, and try to stop the second wave of fraud that often follows the first intrusion. For customers, the next test is whether the email, text or in-app message that looks routine this week is actually part of the breach fallout. (techcrunch.com) (yahoo.com)