Has Booking.com Been Hacked (and isn’t Telling Anybody)?

Even the most alert person can sometimes be scammed on the internet. Although it’s easy to mock those supposed Nigerian princes wanting to share their wealth, one does tend to be a bit more believing when the email or phone messages contains real information that only a legitimate sender ought to have.  One such scam appears to be taking advantage of the Online Travel Agency Booking.com.

According to the Spanish blog InfoViajera – and dozens of reader comments – Booking.com appears to have been hacked. After booking a hotel or apartment through the Online Travel Agency, the guest is being approached – often via Whatsapp message – informing them that their payment has been declined. As a result, the “property” is asking them to make payment outside of Booking.com.

Many readers would undoubtedly notice the red flag and delete the message immediately, except that it typically contains:

  • The full name of the guest
  • Their phone number
  • The property being reserved
  • The exact dates of the reservation
  • The exact amount of the reservation

And if you are accustomed to having online credit card payments declined from time to time – especially in foreign countries off the beaten track – then you can easily fall into the trap.

Luckily, no InfoViajera readers appear to have fallen into the trap.  One message mentioned a problem with “Mactercard” payment systems, an obvious scam, albeit one that you could easily miss.

What is Booking.com Doing About It?

When contacted by InfoViajera readers, Booking.com claims that all is fine.  Disturbingly, however, the prevalence of this scam suggests that:

  • Booking.com has been hacked – allowing somebody access to Booking.com reservation information
  • Dozens of smaller Booking.com properties have employees operating (or falling for) a phishing scam

I can’t think of any other access point for somebody to obtain every relevant detail of your accomodation reservation…

Bottom Line

If you are asked to make payment outside of the booking platform, it is surely a scam.  Even so, some scams look more realistic than others…

Have you received a similar message after making a reservation? Let us know in the comments section…

Comments

  1. Susan says

    I just got an Email from [email protected] today telling me: “During routine security monitoring, we discovered that your login credentials may have been compromised via another site unconnected to Booking.com” blah, blah, blah. So yeah, I guess they were hacked?

  2. foo bar says

    Yesterday I got a message notifying me I someone logged into my account from Ashburn, United States. Considering I have a 25 character random password, my assumption was that they have been hacked.

  3. Karen says

    Have received messages via What’s App from Moldova and Kyrgyzstan stating they’re from Booking.com and asking me to verify details. Booking.com are not very responsive and also difficult to find ways to report this. I did contact the hotel directly to see if they knew of anything and to reassure them I am coming along.

  4. Gogul says

    I made a reservation via Booking.com on 12.01. Today I received a message on Whatsapp from someone calling me by my full name and claiming to be the administrator of the hotel where I made the reservation (full name of the hotel included in the message). The “admin” demanded some answers regarding the number and the name of the guests, the time of arrival, if I wanted transfer from the airport. What caught my attention was the UK prefix of their phone number because my reservation was in a totally different country. So I told the “admin” I would reply via Booking.com chat. Which I did. Then I received a message from the manager of the hotel on Booking.com chat who mentioned that there is a data leak at Booking,com and I should not click on any links received via email or Whatsapp.

  5. Hotel owner says

    The article has a mustake.
    It’s not booking.com who has been hacked. The hotel has fallen into a fishing scam.
    The way they operate: the hackers making a reservation via booking.com and contacting the property through booking.com App asking the hotel representative to speake with them via email then they send a link to the hotel which allows the hackers to gain control of the computer of the representative of the hotel who pressed the linked.
    Then the steal all username and password of the hotel which was saved on the computer.

    I know this because I have a hotel, and I’m a victim of the same hackers.

    • Craig Sowerby says

      Makes a lot of sense. I haven’t seen too many people with issues at major hotels – just small ones where a phishing scam is more likely to work. Thanks for sharing…

  6. Roberta says

    Received WhatsApp message imposing as hotel manager asking for prepayment. Very official looking message with all correct information I.e reservation number etc…and payment link was the same as Booking.com payment page. The payment actually went through as a wire transfer to Nigeria a few days later. Contacted the hotel and they said it happened before

    • LP says

      I also got a message on booking.com saying I would be contacted by one of the property managers on WhatsApp to finalise a payment and asking for money. My experience in trying to report this and sort it out has been absolutely awful and booking.com have been useless, failing to even recognise there has been a clear data breach. It seems they are covering it up and if so legal action needs to be taken

    • Jane says

      Same thing happened to me on the 23rd, I believed it as all my holiday information was on there. I paid and I’m gutted. The bank won’t refund me and Booking.com have not got back to me after I mentioned my details all being compromised. I don’t know what to do.

      • Lp says

        I’m so sorry to hear this. Repeat it to action fraud and get a crime reference number. Hopefully the more people that report it the more a case can be built against these guys and booking.com, who have clearly had a massive security breach and are doing absolutely nothing about it. Don’t stop bugging booking.com, it is relentless and so time consuming but don’t drop it as this is entirely their fault. I am currently in the process of trying to dispute mine too but they are being so awful.

        I wonder if there is a news agency that would pick this up? Highlighting the amount of victims there has been and the complete lack of security and communication from booking.com.

  7. IT Company in the Netherlands says

    I highly doubt it. We are managing IT for hotel’s in the Netherlands, with tight security policies applied, multifactor authentication (phonecall) to the extranet implemented, and are using complex passwords.

    Still, last week, we are hacked.
    Dozens of guests are contacted by whatsapp. On the PCs we are using for booking.com’s extranet is no trace of malware nor any other breach found. The login-history of booking.com has no unknown logins listed.

    Booking.com is pointing us to a local infection, but, since we use phone-auth to login, this simply can’t be the case.
    An unknown login should be listed in booking.com’s login history, if the attacker did not use local pc’s to send these messages.

    All this leads me to the assumption these messages must be sent from booking.com’s extranet itself.

    • Manuel says

      My company in Lanzarote has had exactly the same experience. We use SMS authentication to access Booking.com, and around a dozen of our Booking.com guests were contacted the same way described by other users. I was beginning to think it had been a local security problem, in our PMS or in one of the connected tools, but reading your comment I’m now back to thinking that the problem might indeed lie on Booking.com.

      It all started on January 26th and I yesterday I went to the police to report it. I guess if more people do the same hopefully they’ll get to them eventually. My guests have been contacted via WhatsApp by a UK number and a Lithuanian number (an also via Booking.com’s extranet).

      • LP says

        Have you been in contact with booking.com? Have they said whether it was a cyber-security breach on their part or are they not saying anything yet?

        • IT Company in the Netherlands says

          We did, where they repeatedly answer that this problem is not at their end.
          (all replies start with that statement)

          After that, a pre-formulated text with probably causes is pasted into each reply.
          I can see that by the different font beeing used for this text.

          They state as probably causes;


          Approach #1: The attacker creates a fake Booking.com reservation, either from a fake guest account, a compromised legitimate guest account, or without any account but with a fake email address. They use this booking to contact the partner via ‘P2G’ Chat Platform and request for the hotel’s direct email address, or they give their “fake” email address, so that the hotel can contact them directly outside of the Booking platform.

          Approach #2: The attacker directly contacts the partner via the partner’s email without a fake reservation.
          During these communications, attackers send a ‘phishing link’ with the request to click on it. Some partners have clicked this link, downloading a malicious file which infected their device with malware. This malware enabled the attackers to gain access to the partners computer.

          The attackers then primarily gain access to the guest’s phone details, upon which they send a WhatsApp message to the guest, asking them to provide their credit card details for (partial) payment to secure their reservation. Additionally, the attackers sometimes gain access to the partners Booking.com Extranet account and remove access to it from the partner. They do this by changing the email, phone number, and 2FA details. This allows them to further access customer personal data and credit card data.

          #1 has not happened. Nobody has been contacted nor had contact with anyone regarding booking.com’s reservations.

          #2 i cannot find any trace such occured.

        • Manuel says

          I have. I reported it to my account manager and yesterday I got an email from their “Security Team” telling me that “After a complete review, we cannot currently confirm any unauthorised activity on your account.”, which doesn’t really tell me much.

      • IT Company in the Netherlands says

        Yes. And logical thinking directs to booking.com beeing somehow comprimised.

        I have 25 years of IT security background, and these PC’s at our Hotels are not infected.
        (unless proven otherwise)

  8. Cissi says

    Received a WhatsApp message asking for payment synchronization – for me to input my details again. This is a highly intelligent phishing scam – they had all my personal information (reservation number, booking dates, full name), and the payment link webpage’s UI looked almost identical to Booking.com. Furthermore, clicking to sign-in to my account from the scam page took me to what appears to be the real booking.com which had my details cached.

    I am trained to identify phishing scams for my job, but unfortunately this will target many Booking.com customers who will fall victim.

    • LP says

      Are you still able to report it to Action Fraud? The more people that report it the more likely a case can be brought against the scammers and booking.com in order to compensate the victims.

  9. Mihaela says

    I also have received e-mail coming from “Booking” telling me to confirm my card – with my full name and whatsapp message on my phone number from this number +44 7842 077739 plus name of the hotel where I have a booking and amount I have to pay for my reservation – so really A LOT of correct data (stolen from booking.com or the hotel – this I don’t know) PLUS when clicking the link it was a copy of booking.com website. PLUS the same message as from the e-mail, in the chat with the property on booking.com – this was the worst part.

  10. Justine says

    I rec’d a WhatsApp today from someone purporting to be manager of a hotel in Montenegro that I reserved via Booking.com last December for this May asking for all my credit card details so I could pay all now via PayPal (tho I knew no payment was due until May and then it would be via booking.com) and when I balked and said I wouldn’t send them the Visa info they changed their tune and sent me my credit card number and expiration date (on WhatsApp!!!) and name saying they just needed the security code. I contacted Booking.com and the hotel via Booking.com and neither knows anything about the WhatsApp contact and both agreed it was totally wrong, so I guess I should cancel my credit card, though Visa says there have been no attempts at charges yet. All I can think is someone got my data from the hotel’s computer and was trying to use it, especially as no one else here mentions the scammer already having your credit card number!

    • Craig Sowerby says

      Yikes. That is definitely worse than what others are mentioning. It does seem more likely than not that the issue is on the hotel’s end in this case.

      I would cancel your card. Since the security codes are only 3 digits with Visa, it wouldn’t be terribly difficult to guess 999 times. (although your bank would probably cancel it anyhow after a few failed attempts)

      • justine says

        Thanks Craig, I did cancel the Visa card and thankfully Visa hasn’t been charged oddly so far as I can tell, but to the others, I doubt Booking.com is going to do anything. I’ve heard nothing from them and it’s been several days, plus because they had the amount and name of the hotel and my credit card # and expiration date, I think it may have been a scammer/thief on the hotel’s end (they seem to be blaming Booking.com however as the hotel wrote me back “It is very strange,a few reservations in the last few days through Booking.com was also like spam or smth.with attach.which wore some virus. They must put better security.”)

  11. A says

    I also suspect them of getting hacked. Got a notification today that my saved credit card with booking was misused.

    I have not given my credit card details to many websites, so booking is on my very short list. I exclude Google. Maybe Garmin is also on my list because yesterday they had an outage.

    • Craig Sowerby says

      Ironically enough, one of my cards has inexplicably stopped working lately and I was starting to wonder why… But I just can’t recall whether I used it to guarantee a recent Booking.com booking. No attempted Whatsapp messages though…

  12. Clare says

    I have been the victim of a crime and fraud and through no fault of my own was defrauded of 1836 Euros. On January 29th I made a booking via Booking.com for a hotel in Venice. When I received the booking confirmation from Booking.com I also received the following message:
    Ca’ Marinella
    Hello !!! Thank you for booking our apartments. Please contact my manager to complete registration and confirm your reservation. What’s App +37064718907 Alisa. We will send you all the necessary registration information. Please note that you will need to write and send What’s Ap…
    29 Jan 2023 (Please see attachment for full message)

    I sent this person a whattsap message as I thought it was needed to confirm the booking and because it came directly from the Hotel’s messaging system via Booking.com. This person did not respond to me until Feb1 2023. She said that there was an error with my booking and she sent me a link in order to confirm my payment. I clicked on the link and the payment did not go through. The link had the booking.com logo and a chat box bot was also open on the right of the page. I typed into the box that the transaction wasn’t going though and could they help me. The chat box said that I needed to refresh. I did this twice and then the chat box confirmed that the booking was confirmed.

    At approximately 15:42 PM I received an email from the hotel via Booking.com stating that their website on booking.com had been hacked. I should contact my bank.

    I contacted the bank immediately and they cancelled my card. I also had to cancel my hotel booking

    I am extremely stressed and upset about this incident and it has left me feeling very vulnerable.

    I do not see how any of this is my fault as Booking.com failed to protect the safety and security of its customers by allowing their website to be hacked. The Hotel has contacted me via Booking.com to state that they were hacked and I must follow up with the bank and legal authorities. They are also following up with the legal authorities in Italy. When I called the Hotel they told me that more than 1500 people have been scammed and my booking was cancelled. I am interested to take legal action and would like to know if anyone ele has been affected. I am so traumatised and psychologically damaged from this incident.

    • Lp says

      Hey! I am in the exact same position as you, the exact same thing happened to me. I am currently awaiting a response from booking.com about what they are going to do about the situation as I too would like to take legal action. I agree it is not our fault but rather the fault of booking.com to protect our details.
      Have you got in contact with booking.com as well? They have been useless with me and said it can take up to 10 days so I am still waiting. Report it to action fraud and get a crime reference number as well! I completely empathise as I am in the exact same boat and am so beyond angry with booking.com and their useless customer service

      • Clare says

        I have contacted booking.com and they said that they have escalated the matter to their internal team. No mention of refund or what they will do. I believe they must refund us total amount we have been defrauded as well as issue us compensation for the money we lost on having to book other hotels and the mental stress this is causing. They have enabled our security and privacy to be breached and it is just appalling. I would be interested in taking legal action if this is not resolved in the right way. Is there any way that we may know who has been affected so that we can get together and take a plan of action?

        • jane says

          I got the same message a week ago but the hotel blames booking.com and visa versa. They keep asking me for a merchants name and the amount I sent to the hotel!!! I keep saying I was scammed, the hotel didn’t get the money it was the scammers. Reading all the above comments makes me feel less foolish and alone but I really need my money back! I would definitely participate in a plan of action, media coverage maybe??

          • Clare says

            I have received an update today from Booking.com in which they will refund me the payment. Fingers crossed. I’ll hold my breath until it’s in my account. I emailed the CEO which I think helped. His email is: [email protected] I wish you all the best. Keep pestering them by phone and email.

        • LP says

          That is such a relief they have refunded you! How long ago did you first raise this with booking.com? I am wondering how long it may be until they get back to me

          • Clare says

            I have been calling and emailing them twice a day since February 1 when the incident happened. I emailed the CEO and all top executives yesterday and got a call in the middle of the afternoon to say I would be refunded the total amount. I wish you all the best. Just keep pestering them.

          • jane says

            That sounds encouraging for all of us too Clare, I have just emailed the CEO as you suggested but other emails are hard to find. I keep being asked for the Merchants name!!! There is no merchant it was a scammer. I feel like I am banging my head agains a brick wall. They know this has happened and would hate it to hit the news. Please let us all know if you get refunded.

          • Clare says

            I’m still waiting for the refund to be sent to my booking.com wallet. Then I must download it to my card. That seems to be how they refund. They said it takes up to 7 working days. Will let you all know

  13. Li says

    Same for me. A hotel sent me message via Booking app to transfer money as prepayment to some weird account, and to whatsapp a screenshot once transferred. I know it’s a scam bcos i stayed there many times and they have never done such a thing. And the replies by the “hotel” are very un-customer service. I know not to transfer. Hotels don’t do that. If legit prepayment they can just hold the amount in my credit card via booking.com

    I emailed the hotel’s email address, and they replied they changed policy and it’s not a scam lol. So i guess even the hotel’s email was hacked.

    So now i’m waiting for Booking.com’s customer service to reply me.

  14. David says

    Same thing happened to me yesterday. I was spitting some pretty serious language on Reddit (on the South Africa sub)
    Happened with WhatsApp message…UK number. The guy is even smiling on his profile. What an asshole!

  15. Jane says

    Just had email from Spencer miss chief security officer. He knows about the situation. He said they are working on a backlog of incidents and I will get a response when it’s fully investigated. At least I have a decent reply and feels a little more promising. I recommend anyone struggling to get answers email him. He got back within 2 hrs of me emailing the CEO like Claire 🤞

  16. Thomas says

    Thank you for this article! The exact same thing happened to me and right now this seems to be the only place Online where you can follow the process. I believe the backlog must be massive so I can only wait for Booking.com to get back to me.

    • Craig Sowerby says

      Yes… many thanks to those people sharing information about their cases and what they’ve done to get Booking.com involved. (and please be patient as I have to manually clear many comments from our spam blocker before they can be seen online – how ironic!)

  17. sofiene says

    My saved virtual card that I use only for booking has been compromised as well, which led me to this article. 2 payments from different shops in the US were attempted (one of them is labeled « g squared holdings » the other one is general) Hopefully the CVV was wrong and I could block the card after I received an alert. Booking is definitely hacked

Leave a Reply

Your email address will not be published. Required fields are marked *