Scam warning: Rise in 'reservation hijacking' following Booking.com data breach as customers complain all their details have been stolen
A growing number of Booking.com customers have complained all their details have been stolen and are being used in an attempt to scam them on social media.It comes after Booking.com suffered a security breach last month, with customers' data leaked to a 'third party'.Thousands of customers from Booking.com received an email in April warning them that their information may have been affected by the breach.That information could include 'booking details, names, emails, addresses, phone numbers, and anything that you may have shared with the property'.Reservation PIN numbers were changed as part of the company's effort to keep existing bookings secure.But many Booking.com customers are now taking to social media to complain they're being scammed - in what has been dubbed 'reservation hijacking' by security experts at Norton, who are warning of the increasingly widespread trend.One X user, Quentin André, wrote: 'Things are about to get real scary. I got a WhatsApp message about a hotel reservation I made on Booking.com. They have my correct hotel name, correct dates, correct amount, everything. They ask me to confirm my credit card details, without which they'll cancel my reservation.'Now, I know Booking.com doesn't do that. I noticed the domain name isn't booking.com. I don't know how they got my reservation details. Either Booking.com got hacked, or the hotel. I suspect this type of automated attacks is going to become very common. Booking.com suffered a security breach with the leaking of some guest information'This came with the whole chain of communication for the booking. Looks legit but the urgency caught my attention.'In this fast-growing new fraud trend, attackers use real booking details to impersonate hotels and trick travellers into handing over payment information.And with peak travel season approaching, this scam is already surging across the UK - travellers aren't being caught out by poor spelling; they're being caught out because the message looks exactly like something they'd expect before a holiday.These attacks are often timed around upcoming trips, making them feel urgent and relevant.In many cases, the scam unfolds within trusted environments such as booking platforms, hotel messaging systems, or even WhatsApp, which makes it significantly harder for consumers to spot.And Quentin is clearly not alone.Another commented on his post: 'My wife received the very same email.'A second chimed in: 'I got an email to say they’d changed all my security pins for all my bookings due to some sort of data leak… I’ve had the exact same message as well for my reservations but they’re all scams - it’s scary that all my private information has been leaked like this.' The 'reservation hijack scams' can target you via text, using details from your actual bookingAnother wrote: 'This happened to me too. I reported it to Booking.com and they contacted the hotel. Turns out their IT system was hacked.' Meanwhile, @ankitandmel wrote on X: 'I received a similar message on WhatsApp for a booking in Vietnam, and a friend for her Scandinavian hotel. Both messages claimed to be from the hotel and had ALL our details given to Booking.com and asked us to click on a link to confirm and avoid cancellations.'Fellow traveller Brian Mackenzie wrote on Facebook: 'Almost got caught out using Booking.com.On Reddit, another traveller detailed the scam - and warned others.The user, GeneralAmbassador304, wrote: 'Like many of you, I recently became a victim of the sophisticated Booking.com phishing scam.'I booked a hotel for a trip to Riga. A few weeks later, I received a message on WhatsApp pretending to be the hotel. It wasn't a generic spam message - they had everything: my full name, my exact check-in dates, and my unique Booking Reference Number.'Because the data was so accurate, I thought it was real. I clicked the link, which looked exactly like the Booking interface, and entered my card details to "confirm" the reservation. Result? My card is compromised, but I managed to catch it in time and promptly blocked the card through the bank.'We all know this is happening on a massive scale. Email impersonation phishing uses the hotel name, where the attacker poses as a legitimate accommodation and sends a pre‑arrival message Alternatively, the hack can take place via websites such as Booking.com'I’ve read countless posts here on Reddit about the exact same thing. Scammers are messaging people inside the Booking app and on WhatsApp with stolen data.'It’s time to stop complaining and start acting.'One complaint might be ignored. But if hundreds of us file a GDPR complaint about the same issue, the regulator will be forced to launch an investigation.' There are two primary ways attackers are carrying out 'reservation hijacking'.The first is impersonation, where scammers pose as hotels or booking providers using highly convincing messages, branding, and context.The second, more sophisticated route is account takeover, where attackers gain access to legitimate hotel or partner systems.This allows them to contact guests through real booking platforms using genuine reservation details, making the communication appear completely authentic.What makes this scam particularly effective is that it removes many of the warning signs people have been trained to look for.Messages often reference real bookings, including hotel names, dates and locations, and are delivered via trusted platforms rather than random emails.As a result, even cautious consumers can be caught off guard, especially when the message creates urgency around payments or booking issues.Someone on Facebook confessed: 'This is a well-known phishing scam with Booking.com bookings. 'Unfortunately, I fell for it in 2024, and lost about $1,500 (£1,110) for a Sri Lankan hotel. Upon following up with the hotel, they mentioned that a lot of guests have complained of the same. It's clear that Booking.com's systems are compromised. Deleted the account and never used booking again. This scam has been going for at least three years.'In light of the rise in travel-related scams, the Daily Mail previously spoke to experts about the impact the Booking.com data breach will have on holidaymakers.The incident is scary because of its future consequences - not just the initial wave of scams.Chris Skipworth, CEO of secure collaboration tool Passpack, said: 'The real risk here isn't just the breach itself; it's what comes next. We're already seeing reports of targeted WhatsApp messages and phone calls that reference real reservations.'Attackers know that travellers are under time pressure; if someone tells you there's a problem with your booking three days before your flight, the natural instinct is to act immediately rather than pause and verify. That urgency is exactly what criminals exploit.'Luis Corrons, Norton Security Evangelist, echoes this, saying: 'The concern with a breach involving a major travel platform like Booking.com extends further than the exposure of personal data – it's about how easily the information can be turned into convincing fraud. 'Even relatively basic details such as names, booking references, travel dates or contact information can be enough to make a message feel authentic and routine.'What tends to follow incidents like this is a wave of highly targeted scams that blend into the travel experience itself.'Because attackers are working with real data, they don't need to invent a story – they can mirror genuine booking communications and make fraudulent messages look like standard pre-travel updates or customer service requests.'The risk for travellers is that accuracy can create false confidence. A message that contains correct booking details can still be malicious if it introduces pressure, whether that's a request to verify information, update payment details, or act within a short timeframe.'If you think you may have been affected, the key is not to engage with messages at face value. Even if they appear legitimate, the safest approach is to treat them as unverified and go directly to the official booking app or website, or contact the accommodation directly using details you trust.' Luis Corrons, Norton Security Evangelist, says leaked information can be turned into convincing fraud Vonny Gamot, head of EMEA at online protection company McAfee, advises enabling Two-Factor Authentication across devices and accountsIt's clear that scams have become far more complex and specific - and therefore harder to spot.So, what can travellers do to stay safe?Vonny Gamot, head of EMEA at online protection company McAfee, said: 'In the wake of a data breach, it's wise to be cautious.'Scammers are likely to capitalise on the situation, posing as Booking.com or other legitimate organisations offering you help to get back into your account - a common tactic after a breach.'It's also important to understand that your information could be used to create a ripple effect of scams targeting your other online accounts. But it isn't difficult to stay one step ahead and feel confident about your online safety. 'Vonny shared her top tips to take control of your personal information and online safety.'Number one: Assume you're affected. Even if you haven't received notification from Booking.com, assume your information may have been compromised if you are or have been a customer. Companies often take weeks to identify all affected individuals.'She adds you should change passwords immediately.She says: 'Enable Two-Factor Authentication everywhere: if you haven't already, enable two-factor authentication (2FA) on all accounts that support it across all banking, email, and shopping accounts. This adds a crucial second layer of security.'You should also check bank statements, credit card bills, and investment accounts for any unusual activity. Set up account alerts if you haven't already, many financial institutions offer real-time transaction notifications.Vonny's next tip is as follows: 'Consider online protection tools: McAfee's Scam Detector can also alert you to suspicious text messages and emails that you receive, which is particularly valuable in the aftermath of a breach when criminals often launch targeted phishing campaigns using stolen contact information.'A Booking.com spokesperson said: 'Should a customer ever have any concerns about a payment message, they should carefully check the payment policy in their booking confirmation. 'It's good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp), or ask guests to make a bank transfer that is different from the payment policy. A reminder to report any suspicious payment messages is also featured at the top the booking confirmation and in our chat function.'
