Booking.com Data Breach Fuels Surge in 'Reservation Hijacking' Scams
Security experts warn travelers to verify identities independently and never share credit card information via phone or text following the exposure of booking data in April 2026.
A significant data breach at Booking.com in April 2026 has exposed names, email addresses, phone numbers, and booking details for affected customers. While the travel portal confirms that no financial information was compromised, the leak of personal identifiers has provided fraudsters with the precise information needed to execute sophisticated reservation hijacking scams.
This specific type of digital fraud involves scammers using known booking details to deceive travelers into sending money to fraudulent accounts. By possessing accurate dates, phone numbers, and email addresses, bad actors can create a convincing sense of urgency, often impersonating hotel or travel staff to trick victims into making bank transfers or sharing credit card details through unofficial channels.
Authorities and Booking.com have issued clear warnings to mitigate the risk. The company has explicitly stated it will never ask customers to share credit card information over the phone, email, or text, nor will it request payments via methods different from those recorded in the official booking. Any request for payment outside the official platform should be treated with immediate suspicion.
Scammers may obtain this sensitive information through various means, including the recent data breach, by targeting employees of service providers to gain system access, or by harvesting data from social media posts where users inadvertently share travel plans. The availability of such detailed personal data allows fraudsters to craft highly targeted messages that are difficult for the average consumer to distinguish from legitimate communications.
To protect themselves, travelers are advised to hang up immediately if approached by someone claiming to be from their reservation provider and to independently contact the official entity using known numbers. Verification must always be conducted through official channels rather than responding to the initial unsolicited contact, as engaging with the scammer can lead to the loss of funds.
Standard security practices remain essential in preventing account compromise and identity theft. Users should secure their accounts with strong, unique passwords that are impossible to guess and enable two-factor authentication wherever available. Booking.com has implemented these measures for its users, reinforcing the importance of adhering to established security protocols to safeguard personal and financial information.
