Stolen Booking.com data already used in reservation hijacking scams

Speed from breach to attack ‘signals something more deliberate than opportunistic’

Booking.com customers are being warned to remain vigilant after a data breach this month, which exposed personal booking details, has triggered a surge in "reservation hijack" scams.

Earlier this week the travel giant confirmed hackers had gained access to some customer information, following what it described as "suspicious activity" involving unauthorised third parties.

The breach was identified after Booking.com detected unusual access to guests' booking data.

The company said it had taken steps to contain the issue, including updating security credentials linked to affected reservations and notifying customers.

While Booking.com declined to reveal how many people were impacted, it said no financial information had been accessed.

However, the company acknowledged that attackers may have obtained sensitive booking-related data, including names, email addresses, phone numbers, travel dates and accommodation details.

Some Booking.com customers contacted the BBC saying they have received unexpected messages relating to their reservations.

The company urged users to be cautious, warning that it will never request credit card details via email, phone calls, messaging apps or text, nor ask for payments that differ from the original booking terms.

Reservation hijacking surge feared

Cybersecurity experts say this type of information is highly valuable to fraudsters, allowing them to craft convincing and highly targeted phishing attacks.

Researchers at Norton have labelled the emerging threat "reservation hijacking."

In these scams, criminals impersonate hotels or guest services, contacting travellers with messages that appear routine but are designed to trick victims into sending money or sharing payment details.

Victims report receiving messages that reference real bookings, including correct hotel names, dates and personal details, making the communications appear legitimate.

Luis Corrons, a security specialist at Norton, said the Booking.com breach significantly increases the effectiveness of such scams.

"Reservation hijack scams have been around for some time, but this new data makes them much more dangerous because it gives criminals precision as they can reference the real property, the real travel dates, the right contact details to make the scam feel like routine customer service."

Targeting of travel platform

Booking.com has previously faced waves of similar attacks.

In January, Securonix revealed a "click-fix" phishing campaign attributed to Russian hackers that targeted Booking.com users, attempting to trick them into downloading malware onto their devices.

The attackers reportedly sent fake emails posing as hotels, claiming a reservation had been cancelled and a significant fee applied, urging recipients to follow malicious links to resolve the issue.

Darren Guccione, chief executive of Keeper Security, said the speed at which scams have followed the Booking.com breach is concerning.

"When a breach at a platform the scale of Booking.com moves from data exfiltration to active phishing campaigns within days, it signals something more deliberate than opportunistic," he said.

Booking.com continues to invest in new safety measures, but acknowledged that no single solution can eliminate the risk entirely.