Booking.com data breach: what you need to know
Faye was Headline Money Consumer Money Journalist of 2023 and a Wincott Award finalist in 2025. She's been investigating scams for nearly a decade.
Customers of Booking.com have received emails warning that their data may have been exposed following 'unauthorised' access to their reservations.
Emails sent by the online booking platform on Monday claim that names, email addresses, home addresses and phone numbers could have been compromised.
The issue appears to impact customers across different hotels and accommodation, although Booking.com hasn't confirmed the scale of the breach or how it was carried out.
Which? is warning Booking.com customers to be vigilant, as the breach is likely to increase the chances of targeted, personalised phishing scams in the coming months.
Booking.com scams
Which? has repeatedly sounded the alarm about the lack of robust safeguards on Booking.com and the sheer scale of scams reported on the site. These include Booking.com customers saying they'd paid for accommodation which turned out not to exist, Which? warning about bogus listings, or Booking.com's in-app messaging function being abused by scammers.
Last year, we were able to list a fake holiday home in minutes without undergoing any identity verification checks. At the time, Booking.com told us that if it’s alerted to issues with listings, it investigates immediately, removing them if necessary. It said it’s using new technology to identify suspicious behaviour and block malicious links.
To make the platform safer, we want Booking.com to implement the following steps:
- Actively monitor and investigate listings with multiple reviewers complaining that they’ve been scammed.
- Make it mandatory for all users of the site to have two-factor authentication set up. Although Booking.com told us that criminals can bypass this, it does make it harder for them.
- Block all malicious links.
- Improve the training that it says it already provides for hotels and other hosts.
What to do in a data breach
If your personal data is stolen, there are steps you can take to try and minimise the damage:
- Consider changing your password and make sure you're using strong, unique passwords on each of your online accounts. A password manager can help you remember them. Always enable two-factor authentication where possible.
- Closely monitor your credit reports for any unrecognised accounts or searches (including soft searches).
- Be wary of scams. If you're contacted by anyone asking you for personal details, payments, passwords or one-time passcodes, take steps to check their true identity.
- Learn more about your rights in a data breach and how to request compensation.
What does Booking.com say?
The firm, based in the Netherlands, didn't answer our questions about the cause and scale of the breach, but provided the following statement:
'At Booking.com, we are dedicated to the security and data protection of our guests. We recently noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information.
'Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.'
Seen or been affected by a scam? Help us protect others
Sharing details of the scam helps us to protect others as well as inform our scams content, research and policy work. We will collect information relating to your experience of a scam, but we won't be able to identify your responses unless you choose to provide your contact details.
Share scam details
