Privacy News

Booking.com data breach 2026 - beware of reservation hijacks and targeted attacks.

Booking.com has confirmed a data breach exposing customer reservation details. Experts warn that the leaked information is now being used in reservation hijack scams. If you use the platform, here’s what to watch out for and how to protect yourself.

Booking.com confirmed its customers’ booking details had been exposed to third parties.

Last week, Booking.com, started notifying its customers that 'unauthorised third parties' may have been able to access certain booking information associated with reservations. The booking platform still hasn't disclosed how many customers have been compromised and in which regions. Simply put, if you have an account with Booking.com, your personal data may have been exposed, leaving you vulnerable to reservation hijack scams. If you use Booking.com here's what you can do and what to be aware of.

What to do after Booking.com data leak

With the data obtained by the Booking.com hack, attackers might contact affected people for targeted phishing and scam attacks.

  • If you have open booking reservations, review them and remind yourself of what payment method you chose. For example, you might have selected to pay on arrival or you may have paid for your booking in full already.

  • And if you then receive any kind of message asking you to verify payment details, via WhatsApp, sms, email or directly on Booking.com, do not trust it - it could be a reservation hijacking scam.

What is the Booking.com data breach 2026?

On April 13th, the Dutch booking site started notifying its customers that “Unauthorized third parties” had gained access to their booking reservation data and that their reservation booking pin had been updated to keep bookings secure - one user took to Reddit to share the message they received.

Ein Reddit-Nutzer teilte seine Besorgnis über eine Nachricht, die er von Booking.com erhalten hatte, in der er vor der Datenschutzverletzung gewarnt und darüber informiert wurde, dass seine Reservierungs-Pins aktualisiert wurden. Ein Reddit-Nutzer teilte seine Besorgnis über eine Nachricht, die er von Booking.com erhalten hatte, in der er vor der Datenschutzverletzung gewarnt und darüber informiert wurde, dass seine Reservierungs-Pins aktualisiert wurden.

A Reddit user shared their concerns over a message they received from Booking.com warning them of the data breach and informing them that their reservation pins had been updated. Screenshot: Reddit.

The data collected includes its customers’ booking details, name, email address, and phone number. This is exactly what malicious attackers need to impersonate the hotel you’ve made a booking with and contact you for scam purposes. According to The Guardian, Booking.com has said that its customers’ financial information had not been accessed.

Watch out for reservation hijacking

You may think this data breach is nothing serious, but experts have warned that this booking data is very valuable to malicious actors who will use the details exposed to trick customers into making payments. Norton, the cyber-security company, uses the term reservation hijacks to describe these types of phishing attacks.

Now that hackers have some customers’ booking details, it’s easy for them to impersonate hotels and request payments or verifications from affected people. Because these attempts seem authentic, without realizing it many people do fall victim to reservation hijacking scams.

Reservation hijacks are not a new kind of scam, but because of the latest Booking.com data breach in 2026, there will be a fresh wave of these kinds of scams happening.

If you have a valid upcoming booking on the booking platform, you need to stay on high alert for targeted phishing attacks.

Turn ON Privacy in one click.

Extra tips for protecting your Booking.com account

While the breach seems to have occurred via Booking.com’s hotel partners - where hackers used a technique called ClickFix to trick hotel employees into installing malware, giving them access to the booking platform’s partner systems - there’s no harm in improving your account login and security. Here are some quick and easy changes to your account with the booking platform to better protect yourself going forward!

  1. Use a passkey or two-factor authentication when signing into your Booking.com account.

To set up a passkey go to My account > Security settings > Passkeys > Set up Passkeys

To set up a 2FA go to My account > Security settings > Two-factor authentication > follow the prompts

  1. Reset your login credentials.

Create a strong and unique password, and make sure you store it in a password manager.

  1. Update your account’s email with an aliases address

If you’re concerned your data may have been exposed in the Booking.com breach, we’d also recommend updating your email address associated with your account. By using an alias address and not your primary email address, you improve the security of your digital identity. Because if malicious attackers gain access to your email alias used exclusively for your Booking.com account, they can’t use this to further hack other accounts (there’s a much higher chance other accounts get hacked when they all use the same email address)

Learn how to easily create an email alias in Tuta Mail here.

To update your email address go to My account > Personal details > Email address > Enter the one time code sent to your current email address > enter new email address > Enter the one time code sent to your new email address.

  1. Do not store your payment details or passport information in the app.

Many apps we use give us the option to store our payment method for next time. Yes, this is convenient but it’s not safe! Booking.com give you the option to store your payment details and even passport information, we’d recommend deleting this information from the platform and entering it manually when making a booking.

To remove your payment details go to My account > Payment methods > from here you can delete them.

To remove your passport details go to My account > Personal details > Passport details > from here you can delete them.

Yet another company hit by a data breach

When we download apps and create accounts to book flights, cars, and hotels we disclose a lot of sensitive information. From identity numbers, payment details, phone numbers to our email address. Worryingly, a lot of people do not think twice about handing this information over and do not second guess the safety of the platforms infrastructure. But with increasing data breaches and hacks - latest the Booking.com data breach - this should act as a reminder of how we should think twice when using apps and be cautious about what personal data we give them.

Stay safe and be vigilant when receiving messages about your next business or holiday booking!

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.