April 17, 2026 Booking.com has confirmed a data breach exposing customer booking details and contact information, prompting warnings about a rise in targeted phishing attacks known as “reservation hijacking.” The scams use real booking data to impersonate hotels or the platform itself, pressuring travellers to re-confirm reservations or make payments.

The company said financial information was not part of the breach but declined to disclose how many users were affected. It also reiterated that it does not request credit card details via email, phone, WhatsApp, or text, nor does it ask customers to complete payments through bank transfers.

Affected users report receiving suspicious communications shortly after making bookings. Amy Warms, a Canadian customer, received an email in Catalan warning of the breach despite not travelling to Spain. She said the message prompted her to log out, change passwords and remove stored payment information as a precaution.

Other customers describe more direct scam attempts. Mert Aktas, who booked a hotel in Greece, said he received a WhatsApp message from an unfamiliar number asking him to click a link to complete check-in. After contacting Booking.com, he was initially told the issue may have originated from the hotel before the company later confirmed a breach. Aktas stated that the experience raised concerns about transparency and the risk to less tech-savvy users.

Security researchers say these attacks represent a shift from generic phishing to highly targeted fraud. David Shipley, CEO of Beauceron Security, said attackers exploit timing and context by contacting travellers close to their departure dates with convincing claims that a booking has been cancelled or requires urgent action. “Now we’re in panic mode. And that’s when we start to make mistakes that they capitalize on,” he stated.

In these scenarios, victims may believe they are rebooking or verifying a reservation when, in reality, they are providing payment details directly to attackers. By the time suspicious charges appear, the transaction has already been completed outside legitimate channels.