Booking.com confirmed this week that unauthorized third parties accessed customer booking data, including names, email addresses, and phone numbers. The company said it updated reservation PIN numbers on affected accounts and notified guests. It declined to say how many customers were impacted.
“We noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information,” spokesperson Courtney Camp said. “Upon discovering the activity, we took action to contain the issue.”
A separate spokesperson said the problem “has been fully contained.” Financial data and physical addresses were not accessed, the company later confirmed.
The timing fits a documented pattern. Analysts at Cofense had been tracking a ClickFix campaign, a social engineering technique that tricks hotel staff into executing malware through fake CAPTCHA verification pages, targeting Booking.com hotel partners with spoofed emails since November 2024.
Some 47% of total campaign activity was concentrated in March 2025 alone, according to Cofense. The attacks delivered remote access trojans and information stealers to hotel staff machines, giving attackers access to real guest reservation data.
Researchers at Bridewell separately documented a three-stage infection chain as recently as February 2026 in which compromised hotel partner credentials were used to target customers directly via WhatsApp, pairing fraudulent payment requests with legitimate booking details to appear credible.
At least one affected customer reported receiving a WhatsApp phishing message two weeks before this week’s notification that included accurate booking details, consistent with the downstream fraud model both firms described.
Booking.com was previously fined €475,000 by the Dutch Data Protection Authority following a 2018 breach in which phishing attacks on hotel employees in the United Arab Emirates exposed data on more than 4,000 customers.
That fine was issued for notifying the regulator 22 days past the legal deadline. The company lists more than 30 million properties globally and reports 6.8 billion bookings since 2010.
