The Booking.com portal is one of the most popular platforms for offering and booking short-term accommodation. In the European Union alone, it is used by over 45 million people per month and the number of accommodation options is constantly increasing (in Q2 2025 there were 8,4 million offers, an increase of 8% year-on-year). It is also a prime target for hackers, because in addition to user data, it also contains payment card details. And now Booking.com has admitted to a massive data leak.
Considering the number of platform users Booking.com suddenly millions of people found themselves in direct danger. Hackers managed to break into the system and obtained information about current reservations connected with names, addresses and other data The platform acknowledged the massive breach and immediately sent an email to all affected users requesting them to change their login details and reset their PINs. However, it declined to disclose how many people were affected by the attack.
Gallery
Fear of phishing
However, many people have a natural distrust of emails asking them to change their password or PIN. And that's a good thing, because phishing attacks It's growing steadily and hackers are getting more and more inventive. Oddly enough, Booking.com made the mistake of not sending the warning email from its main official address, so many people ignored it as another phishing attempt.
A heated debate also broke out on the forum Reddit, where people shared their findings and discussed whether it was a scam or a real warning from the travel platform. However, Booking later confirmed the information to Bleeping Computer: "We recently experienced suspicious activity where unauthorized third parties may have gained access to some of our guest reservation data." Apparently, it wasn't just names and contact details, but the attackers also got some of the private conversations between clients and accommodation providers.
The bad news is that what's done can't be undone. Someone is now holding a huge database names, email and postal addresses, and phone numbers of millions of people. And it can be abused at any time and in any way. Booking.com admitted the error, but does not offer any additional tools for greater user protection. At the same time, it did not disclose how such an unprecedented attack could have occurred.
