A growing number of Booking.com customers have reported that their personal details have been stolen and are being used in sophisticated scams on social media platforms. This follows a security breach last month that leaked customer data to a third party.
Data Breach Details
In April, thousands of Booking.com customers received emails warning them that their information may have been compromised. The leaked data could include booking details, names, email addresses, phone numbers, and any information shared with the property. The company changed reservation PIN numbers to secure existing bookings.
Reservation Hijacking Trend
Many customers are now complaining on social media about being targeted in what security experts at Norton have dubbed 'reservation hijacking'. This increasingly widespread trend involves attackers using real booking details to impersonate hotels and trick travellers into handing over payment information.
One X user, Quentin André, described receiving a WhatsApp message with his correct hotel name, dates, and amount, asking him to confirm credit card details or face cancellation. He noted the domain was not booking.com and suspected either Booking.com or the hotel was hacked. Another user reported that their wife received the same email, while a third said all their security pins were changed after the breach.
A Reddit user, GeneralAmbassador304, detailed falling victim to the scam, receiving a WhatsApp message with full name, check-in dates, and a unique booking reference number. They clicked a link that looked like the Booking interface and entered card details, leading to a compromised card that was promptly blocked.
How the Scam Works
Attackers use two primary methods: impersonation, where they pose as hotels with convincing messages, and account takeover, where they gain access to legitimate hotel systems to contact guests through real platforms. The scam removes traditional warning signs, as messages reference real bookings and come via trusted channels, creating urgency around payments.
One Facebook user confessed to losing about $1,500 for a Sri Lankan hotel in 2024, noting that Booking.com's systems appear compromised and that the scam has been ongoing for at least three years.
Expert Warnings
Chris Skipworth, CEO of Passpack, highlighted that attackers exploit travellers' time pressure, especially close to trip dates. Luis Corrons, Norton Security Evangelist, emphasised that even basic details can be turned into convincing fraud, and advised not to engage with messages at face value but to verify directly through official channels.
Safety Tips
Vonny Gamot, head of EMEA at McAfee, recommended assuming you are affected, changing passwords immediately, enabling two-factor authentication on all accounts, checking bank statements for unusual activity, and using online protection tools to detect suspicious messages.
The Daily Mail has contacted Booking.com for further comment.
