Booking.com confirms hackers accessed customer names, emails, addresses, and booking details via third-party compromise. Stolen data is already fuelling targeted WhatsApp phishing attacks, exposing deep supply chain vulnerabilities in global travel platforms.
Booking.com’s confirmation on 13 April 2026 that unauthorised parties accessed customer booking data marks another serious lapse in safeguarding traveller privacy. The exposed information – names, email addresses, phone numbers, physical addresses, reservation specifics and platform–hotel message histories – while excluding financial details per the company’s statement, has already fuelled a wave of highly targeted secondary attacks.
Affected Australians report receiving WhatsApp messages bearing accurate booking particulars days before official notification, with one Bali traveller losing $100 to a fraudster impersonating Booking.com support.
This is not an isolated failing but a symptom of a systemic vulnerability: security firms Bridewell and Sekoia have long documented how attackers compromise hotel partner credentials via infostealer malware, then mine reservation databases to craft convincing phishing lures. The Dutch Data Protection Authority’s €475,000 fine against Booking.com in 2021 for an almost identical supply-chain breach underscores the pattern.
The scale of exposure is significant: Operating across 28 million global listings and processing hundreds of millions of bookings yearly, the scale of potential harm is immense. Yet critical questions remain unanswered: how many customers were affected, for how long was data accessible, and through what precise vector? This opacity complicates individual risk assessment and raises concerns about compliance with GDPR and Australia’s Privacy Act, which mandate timely, transparent disclosure of breaches involving personal information.
Treat every unexpected Booking.com message as suspect until proven otherwise. Go directly to the official app or website and avoid clicking on links in emails, texts or WhatsApp messages, no matter how authentic they look.
Check your current reservations line by line. Look for any change to guest names, email addresses or phone numbers, which can signal that someone is already inside your account. Turn on two-factor authentication immediately to make it materially harder for attackers to reuse stolen credentials.
Ensure reputable antivirus software is installed and up to date on any device you use for travel bookings, given infostealer malware is a key tool in this campaign. Be wary of unsolicited calls or messages from anyone claiming to represent Booking.com and refuse to share card details, one-time passwords or security codes. Keep a close eye on bank and card statements for unfamiliar transactions, even though there is no firm evidence yet that card numbers were the primary target.
Where possible, route bookings through a dedicated email alias so that a compromise does not expose your main inbox. Do not rely solely on Booking.com’s automatic PIN reset. Log in and update reservation PINs and account security settings yourself to close off easy opportunities for follow-on fraud.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
CISA has added an actively exploited LiteSpeed cPanel Plugin flaw to its KEV catalogue, with hosting providers urged to patch or remove the vulnerable user-end plugin.
CISA’s latest KEV update mixes new Microsoft Defender flaws with legacy Windows and Adobe bugs, showing why exploited risk often sits in forgotten systems.
Microsoft has confirmed active exploitation of CVE-2026-42897, putting exposed on-prem Exchange and Outlook Web Access environments back under pressure.
NGINX Rift shows how a small rewrite-rule pattern can become a large operational risk. The flaw is not a universal one-request takeover, but exposed NGINX estates should still treat patching and configuration review as urgent.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
