Booking.com Data Breach 2026: What to Do Now to Protect Yourself

What Happened

On April 13, 2026, Booking.com began sending emails to customers confirming that hackers had gained unauthorized access to reservation data. The company detected suspicious activity affecting an unspecified number of bookings and took steps to contain the breach.

According to the notification, the exposed data may include:

• Full names, email addresses, and phone numbers
• Booking details: hotel names, check-in/check-out dates, reservation references
• Anything shared with the accommodation through the platform (special requests, messages, ID documents)

Booking.com says payment information was not accessed. The company has not disclosed how many customers were affected, how the attackers got in, or how long they had access to the system. The thing we need to know is that Booking.com has over 100 million active mobile app users and processed 1.1 billion room nights in 2024 alone.

Protect yourself right now – check where your data has been exposed and start removing it with ClearNym.

The Scams Have Already Started

This isn’t a theoretical risk. Within days – and in some cases weeks before the official notification – Booking.com users began reporting targeted phishing attacks using their real booking data.

Real cases reported by victims on X and Reddit:

• Unauthorized credit card charges. On April 12, user @meabed posted on X that he discovered 2 unauthorized transactions on the card he used for a booking – one day before Booking.com even sent its notification.
• WhatsApp scam with exact travel details. Verified X user @grkn received a WhatsApp message from a Brazilian number about his Paris hotel booking. The scammer knew his full name, hotel, and exact travel dates.
• Phishing before the notification. A Reddit user reported receiving WhatsApp messages with their booking details two weeks before the official breach email. They wrote: “This person knows where I go, when I go, and who I am”. Booking.com didn’t respond for two weeks.
• Fake “travel agency” calls. Multiple users reported calls from people claiming to confirm reservations. When asked for a company name: “That’s not important”. When pressed – they hung up.

Key detail: At least one victim received phishing messages two weeks before the official notification. This means the stolen data was circulating and being exploited long before most customers were warned.

A Pattern, Not an Incident: Booking.com’s Full Breach Timeline

The April 2026 breach is not an isolated event. It’s the latest in a decade-long pattern of security failures at one of the world’s largest travel platforms.

Year	What Happened	Scale / Outcome
2016	A hacker linked to U.S. intelligence services stole reservation PINs and travel itineraries from Middle Eastern hotels. Booking.com kept the breach secret – customers were never notified.	Thousands of reservations in Qatar, Saudi Arabia, UAE. No public disclosure.
2018	Criminals phished hotel employees in the UAE, stealing login credentials to access booking data. Booking.com reported the breach 22 days late, violating the GDPR’s 72-hour rule.	4,109 customers exposed. 283 credit cards compromised. €475,000 GDPR fine.
2020	A misconfigured cloud server at Prestige Software (a third-party booking tool) exposed data from Booking.com, Expedia, Hotels.com and other platforms – potentially dating back to 2013.	Up to 10 million customer records. Full card numbers + CVVs exposed.
2023–2025	Ongoing campaign: hackers infect hotel computers with info-stealer malware, hijack Booking.com partner accounts, and send phishing messages through official channels. Booking.com reported a 900% increase in phishing attacks on travelers in 2024.	530+ fraud cases in UK alone (£370,000 lost). Credentials sold on dark web for up to $5,000 each.
April 2026	Booking.com confirms unauthorized access to reservation data. Customer names, emails, phone numbers, and booking details exposed. Phishing attacks using real booking data began weeks before official notification.	Unknown number of victims. 100M+ active mobile users at risk. No identity protection offered.

The financial context makes this even more striking. Booking Holdings generated $26.9 billion in revenue in 2025 and $5.8 billion in net profit in 2024. The largest fine the company has ever received for a data breach? €475,000 – roughly 0.002% of annual revenue. For a company of this size, that’s not a deterrent. It’s a rounding error.

What to Do Right Now If You Used Booking.com

If you’ve ever booked through Booking.com – not just recently – take these steps:

1. Change your password and enable two-factor authentication. Change it anywhere else you reused it.
2. Check your bank statements for unauthorized charges – users have reported fraudulent transactions despite Booking.com’s assurance that payment data wasn’t accessed.
3. Ignore unexpected messages about your bookings. Booking.com will never ask for payment details via phone, email, WhatsApp, or SMS.
4. Consider a credit freeze with Equifax, Experian, or TransUnion if you believe your data was exposed.

But here’s what most breach advice leaves out: changing your password doesn’t remove the personal information that’s already publicly available about you.

Why This Breach Is More Dangerous Than It Looks

Stolen booking data doesn’t stay in one place. It gets sold on dark web forums and cross-referenced with your profiles on data broker sites like Spokeo and Whitepages.

Here’s what that looks like in practice: A criminal buys your Booking.com data and learns you’re staying at a hotel in Barcelona from June 10–17. They search your name on a people-search site and find your home address in seconds. Now they know your house is empty for a week, which car is in your driveway, and who your family members are. In 2014, a similar travel data leak at HotelHippo.com was called “a gift for burglars” for exactly this reason.

A password change won’t fix that. Removing your data from these sites will.

ClearNym scans 350+ data broker sites, finds where your personal information is listed, and sends removal requests on your behalf – continuously, not just once. The fewer places your data exists, the harder it is for criminals to build a profile on you.

Run a free scan at ClearNym – it takes a few seconds to see how exposed you are.

References

• TechCrunch, “Booking.com confirms hackers accessed customers’ data.” 
• BleepingComputer, “New Booking.com data breach forces reservation PIN resets.” 
• Cybernews, “Booking.com breach sparks scam wave targeting travelers’ bookings.” 
• HackRead, “Booking.com Confirms Data Breach as Hackers Access Customer Details.” Help Net Security, “Booking.com data breach: Customer reservation data exposed.” 
• Computing.co.uk, “Booking.com was breached by a hacker with links to US intelligence services.” 
• European Data Protection Board, “Dutch SA fines Booking.com for delay in reporting data breach.” 
• Gadget Review, “Booking.com Hit by Fresh Security Breach, Travelers Told to Watch Accounts.” 
• Action Fraud UK, “Booking.com users targeted with scam messages.” 
• TravelMole, “Ten million customers’ personal data exposed by booking software glitch.” 
• ClearNym, clearnym.com