The online booking giant Booking.com confirmed a new data leak affecting its customers, potentially millions of travelers, spotted in mid-April 2026. Unauthorized third parties were able to access certain reservation information, then used to launch credible scams targeting travelers. Several testimonials report fraudulent messages on WhatsApp or by e-mail which includes your dates of stay and the name of your hotel.
In a message sent to Phonandroid, Booking.com states: “At Booking.com, the security and protection of our customers’ data are our top priorities. We recently identified suspicious activity involving unauthorized third parties, who may have accessed certain booking information of our customers.” The group claims to have reset the PIN codes of affected reservations and ensures that no financial information was accessed. One key question remains: what should you check now?
Booking.com data leak: what information was really leaked?
According to the first elements communicated, the data concerned includes the name, email address, telephone number, postal address, dates of stay and reservation number, as well as “anything you may have shared with the accommodation”. On Reddit, a traveler says: “My reservation was part of this security breach; I was contacted by scammers via a WhatsApp Business account.” The fraudsters then redirected him to a fake site Booking.com imitating a VISA 3D Secure page, with supporting photos of the hotel. This makes phishing attempts particularly difficult to spot.
Booking.com: urgent checks to do on your account
To limit the risks, a few quick checks are necessary on your account Booking.comdirectly from the official site or application.
- Check your emails and notifications Booking.com : the company normally notifies customers whose reservation PIN code has been changed.
- Review each upcoming reservation: dates, amounts and status must not have changed without your agreement.
- Open the reservation’s internal messaging system and ignore any message requesting payment, transfer or urgent card validation.
- Change your password Booking.comespecially if it is reused elsewhere, then enable two-factor authentication if possible.
- Take a look at your latest bank statements and activate your bank’s alerts for any online payments.
Booking.com customers: what to do in case of scam or doubt?
If you have entered your bank details on a fake site or validated a suspicious payment, call your bank immediately to object. Then change your account password Booking.com and your email address.
Keep all messages and screenshots, then report the scam on Cybermalveillance.gouv.fr and, in the event of a proven leak, to the CNIL. THE GDPR also allows you to ask Booking.com what data has been affected and, in the event of damage, to consider recourse with the help of a consumer association or a lawyer.