Booking.com Security Breach Exposes Hundreds of Travelers to Fraud
A significant security breach at Booking.com has resulted in hundreds of Dutch travelers falling victim to fraud, with losses exceeding €65,000 in early 2026 alone. Hackers compromised hotel accounts on the platform, sending convincing fake messages to guests via the Booking.com app, WhatsApp, and email, demanding payments for alleged missing deposits.
The attackers gained access to booking details, including guest contact information, by exploiting weak security practices. Ethical hacker Sijmen Ruwhof noted that criminals use AI tools to replicate hotel communications with near-perfect accuracy, making the scams difficult to detect. Compromised accounts often stem from reused passwords from data leaks or phishing attacks targeting hotels with malware-laden attachments.
The fraud has surged globally, with reported cases in the UK, France, and Singapore, alongside the Netherlands. While Booking.com claims its security measures have improved citing a decline in internal victim counts public reporting has increased, with 200 Dutch victims in 2025 compared to 89 in 2024. The company acknowledged the issue has persisted since 2023, affecting multiple major platforms.
Booking.com advises travelers to verify payment requests directly with hotels and treat unsolicited links with suspicion, though it offers assistance in recovering lost funds when possible. The breach highlights ongoing vulnerabilities in third-party account security and the growing sophistication of AI-driven fraud.
Source: https://nltimes.nl/2026/01/16/hundreds-dutch-travelers-defrauded-hackers-hijack-bookingcom-accounts
Booking.com cybersecurity rating report: https://www.rankiteo.com/company/booking.com
"id": "BOO1768736831",
"linkid": "booking.com",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds (Dutch travelers '
'primarily, with cases in UK, '
'France, and Singapore)',
'industry': 'Travel/Hospitality',
'location': 'Global',
'name': 'Booking.com',
'type': 'Company'}],
'attack_vector': ['Phishing', 'Compromised Accounts', 'Malware'],
'customer_advisories': 'Verify payment requests directly with hotels and '
'treat unsolicited links with suspicion',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Guest contact information',
'Booking details']},
'description': 'A significant security breach at Booking.com resulted in '
'hundreds of Dutch travelers falling victim to fraud, with '
'losses exceeding €65,000 in early 2026. Hackers compromised '
'hotel accounts on the platform, sending convincing fake '
'messages to guests via the Booking.com app, WhatsApp, and '
'email, demanding payments for alleged missing deposits. The '
'attackers exploited weak security practices to gain access to '
'booking details, including guest contact information.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': ['Guest contact information',
'Booking details'],
'financial_loss': '€65,000+ (early 2026)',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['Booking.com platform', 'Hotel accounts']},
'initial_access_broker': {'entry_point': ['Reused passwords',
'Phishing attacks targeting hotels'],
'high_value_targets': 'Hotel accounts'},
'lessons_learned': 'Highlights ongoing vulnerabilities in third-party account '
'security and the growing sophistication of AI-driven '
'fraud.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Improved security measures '
'(claimed by Booking.com)'],
'root_causes': ['Weak security practices',
'Reused passwords from data leaks',
'Phishing attacks']},
'recommendations': ['Verify payment requests directly with hotels',
'Treat unsolicited links with suspicion',
'Avoid reusing passwords'],
'references': [{'source': 'Ethical hacker Sijmen Ruwhof'}],
'response': {'communication_strategy': 'Advises travelers to verify payment '
'requests directly with hotels and '
'treat unsolicited links with '
'suspicion',
'enhanced_monitoring': 'Improved security measures (claimed by '
'Booking.com)'},
'title': 'Booking.com Security Breach Exposes Hundreds of Travelers to Fraud',
'type': 'Fraud/Scam',
'vulnerability_exploited': ['Reused passwords from data leaks',
'Weak security practices']}