Has Booking.com Been Hacked (and isn’t Telling Anybody)?

a room with a bed and chairs

Even the most alert person can sometimes be scammed on the internet. Although it’s easy to mock those supposed Nigerian princes wanting to share their wealth, one does tend to be a bit more believing when the email or phone messages contains real information that only a legitimate sender ought to have.  One such scam appears to be taking advantage of the Online Travel Agency Booking.com.

According to the Spanish blog InfoViajera – and dozens of reader comments – Booking.com appears to have been hacked. After booking a hotel or apartment through the Online Travel Agency, the guest is being approached – often via Whatsapp message – informing them that their payment has been declined. As a result, the “property” is asking them to make payment outside of Booking.com.

Many readers would undoubtedly notice the red flag and delete the message immediately, except that it typically contains:

  • The full name of the guest
  • Their phone number
  • The property being reserved
  • The exact dates of the reservation
  • The exact amount of the reservation

And if you are accustomed to having online credit card payments declined from time to time – especially in foreign countries off the beaten track – then you can easily fall into the trap.

Luckily, no InfoViajera readers appear to have fallen into the trap.  One message mentioned a problem with “Mactercard” payment systems, an obvious scam, albeit one that you could easily miss.

What is Booking.com Doing About It?

When contacted by InfoViajera readers, Booking.com claims that all is fine.  Disturbingly, however, the prevalence of this scam suggests that:

  • Booking.com has been hacked – allowing somebody access to Booking.com reservation information
  • Dozens of smaller Booking.com properties have employees operating (or falling for) a phishing scam

I can’t think of any other access point for somebody to obtain every relevant detail of your accomodation reservation…

Bottom Line

If you are asked to make payment outside of the booking platform, it is surely a scam.  Even so, some scams look more realistic than others…

Have you received a similar message after making a reservation? Let us know in the comments section…

Comments

  1. Susan says

    I just got an Email from [email protected] today telling me: “During routine security monitoring, we discovered that your login credentials may have been compromised via another site unconnected to Booking.com” blah, blah, blah. So yeah, I guess they were hacked?

    • Nitesh says

      I have been victimized of a similar incident on Booking. com.
      Can someone please help on this?

      • Karina says

        Hi there I have had 2 different credit cards with charges to Booking.com.syd,Aus , I live in NZ and have not used booking.com, I have disputed these with the bank and had our cards blocked, this has happened 2 months in a row, first my husbands card so we blocked that, now my card (also now blocked) any one else had this happen????

        • Marianne Moess says

          Yip I live in NZ have had $1300 charged to my credit card for accommodation in Auckland that I never heard off, never booked and haven’t even been to Auckland. I did have bookings for a Japan trip coming up but have now cancelled them all. The accomodation place confirmed the booking was made through BDC . Bank investigating, Police notified and also Netsafe and CERT in Nz. Customer service nil. Never will use them again. Worldwide problem of not paying their hosts. They are also accomodation sponsors of FIFA women’s World Cup, go figure. CEO earns $30+ mil USD, and yet here we all are struggling to get what would be small change to him, but hard earned coin for us back

        • Kajetan says

          Hi, I have same problem, but I received that message directly from booking app… and now booking seems to not be bordered at all and won’t help me.

      • J. says

        Yes, I got the exact message. I dis not fall for it. I booked a room in Varna Bulgaria and got the message from a Romanian number. I canceled reservation due to this.

    • Liz says

      I have reported 2 data breaches in 3 months
      To the ICO in UK . Ive been trying to retrieve moneys booking.com owed me from Dec 2022 -I have received the personal and financial details of 2 separate individuals

    • Molly says

      13/09/23 I received an email from who I thought was booking.com asking to confirm my bank card details which would need to be done within next 24 hours to secure the hotel. I had 3 attempts to put in my details and each time after 10 minutes it was failed attempts, I then sent the hotel an email to say cancel the booking as I will book elsewhere, I received a phone call from the hotel to say it was a scam.. booking.com had been hacked! On reading the stories on here it seems a regular occurrence…why on earth aren’t booking.com informing people of this! So we can be aware and alert! I’m sooooooo annoyed! Iv just spent an hour cancelling my card with my bank and now having to wait up to six days for a new one!

      • Johnny says

        This is exactly what I experienced. About a week before my stay I got a mail and subsequent mails and chat messages from the hotel telling me to verify my credit card. 3 attempts ending in a blank page resulted in 3 charges to my account for a total of $1100 USD. The hotel plays “we are equally shocked” and I’ve had no response from booking.com. My bank says it’s on me.
        I’m going to turn against the hotel now, because I think it’s their security problem.

        • Craig Sowerby says

          I recommend you keep chasing the massive corporation (Booking) for your refund, rather than the hotel. It seems that they have issued refunds to customers who have filed police reports and can show they were scammed via the booking.com email system…

  2. foo bar says

    Yesterday I got a message notifying me I someone logged into my account from Ashburn, United States. Considering I have a 25 character random password, my assumption was that they have been hacked.

    • Michael says

      I also received such msgs twice. I initially ignored them until I looked at my emails and observed someone had made 19 reservations in China all for the same duration and dates. As much as customer service attempted to help me resolve situation I ultimately deleted my account as I no longer feel safe using this account as they were also using my email account as well. Sorry as I had good experiences with this company previously.

  3. Karen says

    Have received messages via What’s App from Moldova and Kyrgyzstan stating they’re from Booking.com and asking me to verify details. Booking.com are not very responsive and also difficult to find ways to report this. I did contact the hotel directly to see if they knew of anything and to reassure them I am coming along.

  4. Gogul says

    I made a reservation via Booking.com on 12.01. Today I received a message on Whatsapp from someone calling me by my full name and claiming to be the administrator of the hotel where I made the reservation (full name of the hotel included in the message). The “admin” demanded some answers regarding the number and the name of the guests, the time of arrival, if I wanted transfer from the airport. What caught my attention was the UK prefix of their phone number because my reservation was in a totally different country. So I told the “admin” I would reply via Booking.com chat. Which I did. Then I received a message from the manager of the hotel on Booking.com chat who mentioned that there is a data leak at Booking,com and I should not click on any links received via email or Whatsapp.

    • Tracy Heppell says

      I’ve had exactly the same thing today 1st March 2023 asking for synchronisation of payment. I refused and they told me I wouldn’t be able to stay at the hotel!! Great customer service and a huge red flag that this is a scam.

    • Munawar Afridi says

      It happened to me yesterday with the email originating from booking.com.
      I got lucky because they weren’t able to process the payment and cancelled both cards which is a terrible inconvenience to me.
      Let’s see what their customer service comes back with.

    • Marjan says

      The same happened to me. But I also received a message through the Booking.com app and that message rerefed to an email that had been send. First attempt July 4th and 2nd attempt today. What is interesting is that I have several bookings done for the coming months but it is only 1 hotel who is having trouble. The hotel even warned us and now again. I think they have certain software on their computer that can see every change they do on their computer

      • Marjan says

        I just posted the above reply. Now you send me an email with a direct link to click on to confirm. But I am not going to click on a button.!! That is just what is happening with this scam. I will never click on 1 button. Never!!

  5. Hotel owner says

    The article has a mustake.
    It’s not booking.com who has been hacked. The hotel has fallen into a fishing scam.
    The way they operate: the hackers making a reservation via booking.com and contacting the property through booking.com App asking the hotel representative to speake with them via email then they send a link to the hotel which allows the hackers to gain control of the computer of the representative of the hotel who pressed the linked.
    Then the steal all username and password of the hotel which was saved on the computer.

    I know this because I have a hotel, and I’m a victim of the same hackers.

  6. Roberta says

    Received WhatsApp message imposing as hotel manager asking for prepayment. Very official looking message with all correct information I.e reservation number etc…and payment link was the same as Booking.com payment page. The payment actually went through as a wire transfer to Nigeria a few days later. Contacted the hotel and they said it happened before

    • LP says

      I also got a message on booking.com saying I would be contacted by one of the property managers on WhatsApp to finalise a payment and asking for money. My experience in trying to report this and sort it out has been absolutely awful and booking.com have been useless, failing to even recognise there has been a clear data breach. It seems they are covering it up and if so legal action needs to be taken

      • Thomas says

        I agree. Customer Support did not even try to help me. Afterwards I received another email asking me how satisfied I was with their support.

    • Jane says

      Same thing happened to me on the 23rd, I believed it as all my holiday information was on there. I paid and I’m gutted. The bank won’t refund me and Booking.com have not got back to me after I mentioned my details all being compromised. I don’t know what to do.

      • Lp says

        I’m so sorry to hear this. Repeat it to action fraud and get a crime reference number. Hopefully the more people that report it the more a case can be built against these guys and booking.com, who have clearly had a massive security breach and are doing absolutely nothing about it. Don’t stop bugging booking.com, it is relentless and so time consuming but don’t drop it as this is entirely their fault. I am currently in the process of trying to dispute mine too but they are being so awful.

        I wonder if there is a news agency that would pick this up? Highlighting the amount of victims there has been and the complete lack of security and communication from booking.com.

  7. IT Company in the Netherlands says

    I highly doubt it. We are managing IT for hotel’s in the Netherlands, with tight security policies applied, multifactor authentication (phonecall) to the extranet implemented, and are using complex passwords.

    Still, last week, we are hacked.
    Dozens of guests are contacted by whatsapp. On the PCs we are using for booking.com’s extranet is no trace of malware nor any other breach found. The login-history of booking.com has no unknown logins listed.

    Booking.com is pointing us to a local infection, but, since we use phone-auth to login, this simply can’t be the case.
    An unknown login should be listed in booking.com’s login history, if the attacker did not use local pc’s to send these messages.

    All this leads me to the assumption these messages must be sent from booking.com’s extranet itself.

    • Manuel says

      My company in Lanzarote has had exactly the same experience. We use SMS authentication to access Booking.com, and around a dozen of our Booking.com guests were contacted the same way described by other users. I was beginning to think it had been a local security problem, in our PMS or in one of the connected tools, but reading your comment I’m now back to thinking that the problem might indeed lie on Booking.com.

      It all started on January 26th and I yesterday I went to the police to report it. I guess if more people do the same hopefully they’ll get to them eventually. My guests have been contacted via WhatsApp by a UK number and a Lithuanian number (an also via Booking.com’s extranet).

      • LP says

        Have you been in contact with booking.com? Have they said whether it was a cyber-security breach on their part or are they not saying anything yet?

        • IT Company in the Netherlands says

          We did, where they repeatedly answer that this problem is not at their end.
          (all replies start with that statement)

          After that, a pre-formulated text with probably causes is pasted into each reply.
          I can see that by the different font beeing used for this text.

          They state as probably causes;


          Approach #1: The attacker creates a fake Booking.com reservation, either from a fake guest account, a compromised legitimate guest account, or without any account but with a fake email address. They use this booking to contact the partner via ‘P2G’ Chat Platform and request for the hotel’s direct email address, or they give their “fake” email address, so that the hotel can contact them directly outside of the Booking platform.

          Approach #2: The attacker directly contacts the partner via the partner’s email without a fake reservation.
          During these communications, attackers send a ‘phishing link’ with the request to click on it. Some partners have clicked this link, downloading a malicious file which infected their device with malware. This malware enabled the attackers to gain access to the partners computer.

          The attackers then primarily gain access to the guest’s phone details, upon which they send a WhatsApp message to the guest, asking them to provide their credit card details for (partial) payment to secure their reservation. Additionally, the attackers sometimes gain access to the partners Booking.com Extranet account and remove access to it from the partner. They do this by changing the email, phone number, and 2FA details. This allows them to further access customer personal data and credit card data.

          #1 has not happened. Nobody has been contacted nor had contact with anyone regarding booking.com’s reservations.

          #2 i cannot find any trace such occured.

        • Manuel says

          I have. I reported it to my account manager and yesterday I got an email from their “Security Team” telling me that “After a complete review, we cannot currently confirm any unauthorised activity on your account.”, which doesn’t really tell me much.

      • IT Company in the Netherlands says

        Yes. And logical thinking directs to booking.com beeing somehow comprimised.

        I have 25 years of IT security background, and these PC’s at our Hotels are not infected.
        (unless proven otherwise)

        • Liam says

          Only booking.com reservations was affected. Other agencies like Expedia and guest with personal e-mail address were not affected. This means Booking.com was hacked.

          • Craig Sowerby says

            Or that the hackers have found a vulnerability specific to Booking.com that makes their phishing efforts at the hotel level more successful…

          • Liam says

            We reinstalled windows, reinstalled virus scanner. Created a new account for booking.com, changed the email password. Our guest still get messages from the scammers. This means booking.com is hacked.

        • Liam says

          We reinstalled windows, reinstalled virus scanner. Created a new booking.com and and changed the password of our email account. But our guest still get messages from the scammers. This means booking.com is hacked.

      • Cacey S says

        I keep getting told that a bot based either in London or Bulgaria has signed into my account and to click the link here.

        I have 2 factors authentication and a 25 char password. Booking.com have been useless when I contact them. I’m thinking of deleting my accounts to be honest.

        Any advice please ?

    • Michael says

      They have definitely been hacked. I showed up to my hotel/apartment that I had booked only to be told that we “cancelled” the night before. We told then we had never cancelled and we have already paid via booking.com (not a third party). We rang booking.com, they said the payment made was fraud and they had cancelled our reservation the night before and didn’t even tell us…. so if we paid directly via booking.com and it was fraud that means they have been hacked.

    • DaveF says

      If that’s what is happening, then an attacker gains access to the extranet and compromises logins for some hotels. Then it acts as those hotels without touching their services.
      Booking.com would have IP address and access datetime and should be able to aggregate suspicious access to detect and block fraudulent access in real time.
      Why not add regional or per-country access limits as well, for instance preventing Russian access to the extranet for German hotels? There is much they can do.
      For me and my upcoming bookings, I will use Google Maps to find hotels then book or call via other providers or to the hotel directly.

  8. Cissi says

    Received a WhatsApp message asking for payment synchronization – for me to input my details again. This is a highly intelligent phishing scam – they had all my personal information (reservation number, booking dates, full name), and the payment link webpage’s UI looked almost identical to Booking.com. Furthermore, clicking to sign-in to my account from the scam page took me to what appears to be the real booking.com which had my details cached.

    I am trained to identify phishing scams for my job, but unfortunately this will target many Booking.com customers who will fall victim.

    • LP says

      Are you still able to report it to Action Fraud? The more people that report it the more likely a case can be brought against the scammers and booking.com in order to compensate the victims.

      • Roberta says

        I contacted the CEO of Booking.com per Claire’s post and was immediately contacted by their Customers Service department. After a few exchange of emails with screenshot of the WhatsApp messages to confirm that I was indeed scammed and that my debit card issuer would not dispute the charge, Booking.com refunded the amount to me. It was done quite efficiently (within a week) and I am happy that it all came to a satisfactory conclusion.

        • Robert says

          Roberta, How did you contact the CEO of Booking.com, as getting hi/her contact details would help many of the responses. I too have been the subject of the same scam.

  9. Mihaela says

    I also have received e-mail coming from “Booking” telling me to confirm my card – with my full name and whatsapp message on my phone number from this number +44 7842 077739 plus name of the hotel where I have a booking and amount I have to pay for my reservation – so really A LOT of correct data (stolen from booking.com or the hotel – this I don’t know) PLUS when clicking the link it was a copy of booking.com website. PLUS the same message as from the e-mail, in the chat with the property on booking.com – this was the worst part.

    • Gloria Reid says

      I received a similar message today on my Booking.com app – wanting me to input my card details again for a one night stay in a hotel next week in UK. Claimed if I did not do so within 24 hours, the hotel might cancel my booking. So I rang the hotel and they knew nothing about it. Then I rang the Customer Services number on the Booking.com App (rather stupidly!) to ask if they had been hacked. Man I spoke to was on a very bad line and would not tell me where he was ringing from. Kept insisting my bank card had been declined and they needed my cvc number to put my payment through. But the hotel told me that they had my card details and were expecting me to pay on arrival.
      I discovered that the person I spoke to in “Customer Services” was ringing from Singapore. Am I paranoid, or is this dodgy?

      • Craig Sowerby says

        It looks a bit dodgy to me. Do you remember if you booked a “pay at hotel” rate or a “pay Booking in advance” rate? If it was “pay at hotel”, you are being scammed.

  10. Justine says

    I rec’d a WhatsApp today from someone purporting to be manager of a hotel in Montenegro that I reserved via Booking.com last December for this May asking for all my credit card details so I could pay all now via PayPal (tho I knew no payment was due until May and then it would be via booking.com) and when I balked and said I wouldn’t send them the Visa info they changed their tune and sent me my credit card number and expiration date (on WhatsApp!!!) and name saying they just needed the security code. I contacted Booking.com and the hotel via Booking.com and neither knows anything about the WhatsApp contact and both agreed it was totally wrong, so I guess I should cancel my credit card, though Visa says there have been no attempts at charges yet. All I can think is someone got my data from the hotel’s computer and was trying to use it, especially as no one else here mentions the scammer already having your credit card number!

    • Craig Sowerby says

      Yikes. That is definitely worse than what others are mentioning. It does seem more likely than not that the issue is on the hotel’s end in this case.

      I would cancel your card. Since the security codes are only 3 digits with Visa, it wouldn’t be terribly difficult to guess 999 times. (although your bank would probably cancel it anyhow after a few failed attempts)

      • justine says

        Thanks Craig, I did cancel the Visa card and thankfully Visa hasn’t been charged oddly so far as I can tell, but to the others, I doubt Booking.com is going to do anything. I’ve heard nothing from them and it’s been several days, plus because they had the amount and name of the hotel and my credit card # and expiration date, I think it may have been a scammer/thief on the hotel’s end (they seem to be blaming Booking.com however as the hotel wrote me back “It is very strange,a few reservations in the last few days through Booking.com was also like spam or smth.with attach.which wore some virus. They must put better security.”)

  11. A says

    I also suspect them of getting hacked. Got a notification today that my saved credit card with booking was misused.

    I have not given my credit card details to many websites, so booking is on my very short list. I exclude Google. Maybe Garmin is also on my list because yesterday they had an outage.

    • Craig Sowerby says

      Ironically enough, one of my cards has inexplicably stopped working lately and I was starting to wonder why… But I just can’t recall whether I used it to guarantee a recent Booking.com booking. No attempted Whatsapp messages though…

  12. Clare says

    I have been the victim of a crime and fraud and through no fault of my own was defrauded of 1836 Euros. On January 29th I made a booking via Booking.com for a hotel in Venice. When I received the booking confirmation from Booking.com I also received the following message:
    Ca’ Marinella
    Hello !!! Thank you for booking our apartments. Please contact my manager to complete registration and confirm your reservation. What’s App +37064718907 Alisa. We will send you all the necessary registration information. Please note that you will need to write and send What’s Ap…
    29 Jan 2023 (Please see attachment for full message)

    I sent this person a whattsap message as I thought it was needed to confirm the booking and because it came directly from the Hotel’s messaging system via Booking.com. This person did not respond to me until Feb1 2023. She said that there was an error with my booking and she sent me a link in order to confirm my payment. I clicked on the link and the payment did not go through. The link had the booking.com logo and a chat box bot was also open on the right of the page. I typed into the box that the transaction wasn’t going though and could they help me. The chat box said that I needed to refresh. I did this twice and then the chat box confirmed that the booking was confirmed.

    At approximately 15:42 PM I received an email from the hotel via Booking.com stating that their website on booking.com had been hacked. I should contact my bank.

    I contacted the bank immediately and they cancelled my card. I also had to cancel my hotel booking

    I am extremely stressed and upset about this incident and it has left me feeling very vulnerable.

    I do not see how any of this is my fault as Booking.com failed to protect the safety and security of its customers by allowing their website to be hacked. The Hotel has contacted me via Booking.com to state that they were hacked and I must follow up with the bank and legal authorities. They are also following up with the legal authorities in Italy. When I called the Hotel they told me that more than 1500 people have been scammed and my booking was cancelled. I am interested to take legal action and would like to know if anyone ele has been affected. I am so traumatised and psychologically damaged from this incident.

    • Lp says

      Hey! I am in the exact same position as you, the exact same thing happened to me. I am currently awaiting a response from booking.com about what they are going to do about the situation as I too would like to take legal action. I agree it is not our fault but rather the fault of booking.com to protect our details.
      Have you got in contact with booking.com as well? They have been useless with me and said it can take up to 10 days so I am still waiting. Report it to action fraud and get a crime reference number as well! I completely empathise as I am in the exact same boat and am so beyond angry with booking.com and their useless customer service

      • Clare says

        I have contacted booking.com and they said that they have escalated the matter to their internal team. No mention of refund or what they will do. I believe they must refund us total amount we have been defrauded as well as issue us compensation for the money we lost on having to book other hotels and the mental stress this is causing. They have enabled our security and privacy to be breached and it is just appalling. I would be interested in taking legal action if this is not resolved in the right way. Is there any way that we may know who has been affected so that we can get together and take a plan of action?

        • jane says

          I got the same message a week ago but the hotel blames booking.com and visa versa. They keep asking me for a merchants name and the amount I sent to the hotel!!! I keep saying I was scammed, the hotel didn’t get the money it was the scammers. Reading all the above comments makes me feel less foolish and alone but I really need my money back! I would definitely participate in a plan of action, media coverage maybe??

          • Clare says

            I have received an update today from Booking.com in which they will refund me the payment. Fingers crossed. I’ll hold my breath until it’s in my account. I emailed the CEO which I think helped. His email is: [email protected] I wish you all the best. Keep pestering them by phone and email.

        • LP says

          That is such a relief they have refunded you! How long ago did you first raise this with booking.com? I am wondering how long it may be until they get back to me

          • Clare says

            I have been calling and emailing them twice a day since February 1 when the incident happened. I emailed the CEO and all top executives yesterday and got a call in the middle of the afternoon to say I would be refunded the total amount. I wish you all the best. Just keep pestering them.

          • jane says

            That sounds encouraging for all of us too Clare, I have just emailed the CEO as you suggested but other emails are hard to find. I keep being asked for the Merchants name!!! There is no merchant it was a scammer. I feel like I am banging my head agains a brick wall. They know this has happened and would hate it to hit the news. Please let us all know if you get refunded.

          • Clare says

            I’m still waiting for the refund to be sent to my booking.com wallet. Then I must download it to my card. That seems to be how they refund. They said it takes up to 7 working days. Will let you all know

  13. Li says

    Same for me. A hotel sent me message via Booking app to transfer money as prepayment to some weird account, and to whatsapp a screenshot once transferred. I know it’s a scam bcos i stayed there many times and they have never done such a thing. And the replies by the “hotel” are very un-customer service. I know not to transfer. Hotels don’t do that. If legit prepayment they can just hold the amount in my credit card via booking.com

    I emailed the hotel’s email address, and they replied they changed policy and it’s not a scam lol. So i guess even the hotel’s email was hacked.

    So now i’m waiting for Booking.com’s customer service to reply me.

  14. David says

    Same thing happened to me yesterday. I was spitting some pretty serious language on Reddit (on the South Africa sub)
    Happened with WhatsApp message…UK number. The guy is even smiling on his profile. What an asshole!

  15. Jane says

    Just had email from Spencer miss chief security officer. He knows about the situation. He said they are working on a backlog of incidents and I will get a response when it’s fully investigated. At least I have a decent reply and feels a little more promising. I recommend anyone struggling to get answers email him. He got back within 2 hrs of me emailing the CEO like Claire 🤞

  16. Thomas says

    Thank you for this article! The exact same thing happened to me and right now this seems to be the only place Online where you can follow the process. I believe the backlog must be massive so I can only wait for Booking.com to get back to me.

    • Craig Sowerby says

      Yes… many thanks to those people sharing information about their cases and what they’ve done to get Booking.com involved. (and please be patient as I have to manually clear many comments from our spam blocker before they can be seen online – how ironic!)

  17. sofiene says

    My saved virtual card that I use only for booking has been compromised as well, which led me to this article. 2 payments from different shops in the US were attempted (one of them is labeled « g squared holdings » the other one is general) Hopefully the CVV was wrong and I could block the card after I received an alert. Booking is definitely hacked

  18. Alan says

    They are still at it. I received an email yesterday asking for payment confirmation for a booking I have in May . This was followed up by a message on WhatsApp from ‘Maria’ from polish number +48 725 649 380 , which came back as a business account. Firstly, asking if I wanted parking at the venue, which I ignored. This was followed by another stating that I must respond or my booking would be cancelled. I replied asking why would it be cancelled, Maria replied that there was an issue with my payment card.

    I rang the hotel direct who confirmed my booking and they told me it was a scam. I reported it to the real Booking.com , they were remotely interested.
    I then received another email from fake ‘booking.com’ to my email address asking for payment confirmation, concerning this requested was followed up by a message within booking.com site.

    The scammers seem to have access to Booking.com website. I have since changed my password.

    I fear many people have fallen for this scam as it can seem genuine and real Booking.com are not doing enough to warn and protect their customers

  19. K says

    We found one when looking to book in Amsterdam yesterday. After booking an apartment with booking.com we emailed a message about the property. Even though we had a confirmation email and pin we received a message saying our booking would not be confirmed until we completed registration of all our details with their manager via WhatsApp. Straight away I thought this might be a scam as we had been scammed by a fake property once in Melbourne.
    I rang booking.com help and was told everything looked ok and it was safe. I still did not believe it.
    We also noticed the dates for our booking still available on booking.com ….second alarm bell
    Then I google searched the address and found that address was a hotel with a different name and photos….third alarm bell
    We wrote back and said we won’t deal through what’s app and they cancelled our booking.
    In the morning that property was no where to be seen on booking.com

  20. Claire Day says

    Went on to booking.com last night and received a quote for a holiday this summer. I input all my personal details including all relevant info including dob etc of travellers in party and address details. I got as far the payment option page then paused as wanted to confirm with husband before booking. This morning l I received a call , supposedly from booking.com, offering me a decent discount if I were to go ahead with my booking and pay over the phone. What’s more, the caller knew every detail about my holiday quote including flights, passenger ages, my contact details. I have flagged to booking.com today but not getting very far, without a booking reference, as I did not finalise the booking. Clearly very worrying as a great deal of my personal data was shared in irder to proceed through the booking to quote stage and choose flights etc.
    Has there been any further communication from booking.com officially announcing this potential security breach? How is this treating customers fairly?!? I would never have gone near this website if I had know about a security breach!

      • Guy says

        I was just approached on whatsapp too
        They had the precise info as noted above.. crazy.
        I was sure they were valid cause who else would have specific booking info that was supposed to be protected.
        Who do we complain to here?

  21. hotel owner in colombia says

    1.
    my property was hacked I want to make a complaint for impersonation, fraud, fraud against booking.com
    I am the owner-legal representative of a hotel in barranquilla-colombia and I have been working with booking. com for 12 years a client made a reservation for the day February 16 with departure February 17 reservation number 3889168946 was identified as Robert Martini Swiss nationality and contact number +41442201515 a reservation for 4 people in a family room, this person through the booking extranet sends us a message in which he tells us that his name is Robert Martini and has 72 years that plans to visit us with his wife and are from Switzerland that please send us our hotel email to contact us,
    The email we received arrives in the name of Robert Martini from the email address [email protected] and says that he and his wife are coming to celebrate their wedding anniversary, that he is an elderly person, he says he is 72 and his wife is 69 and that it is difficult for them to locate themselves in an unknown city and that they made a detailed map and need help to plan their route and get to the hotel with confidence, they attach a compressed file in zip format called myphotosmap.zip and leave the note that this file does not open on the phone because it is in a Windows folder and that I can only open it from the computer,
    in view of this request taking into account the age of the person we agreed to open the file to see how we could help him because he was an elderly person, when we opened the file nothing happened so we wrote to the person that we could not open the file and told him that when he came we would help him with his request, this happened on February 1st at 11:30am, we verified that the file was deleted from the computer and nothing happened that day or the next one,
    on february 3rd at 9:32am an email arrives from booking.com saying that a new administrator was added to our property and that the email address [email protected] now has administrator rights in the property and that they have full access to the booking.com extranet and the pulse application which is the mobile application from where you can also manage everything related to the hotel.
    the following email we received at 9:33am where the booking platform told us that your user account has been removed and that we will no longer have access to the extranet for the hotel and that we are not on the list of users of this property.
    Then a series of emails from google started to arrive warning us about a security breach and that we were victims of a hacking

  22. hotel owner in colombia says

    2.
    We acted immediately and closed the google session on all devices and changed the password, we get a series of messages from booking where they are changing the contact information of booking and our email is removed from the account at this time they take ownership of the property on the platform.
    We immediately called the booking.com customer service line at +576014192623 and we were attended by the service agent juan millan and it is manifested in this call that lasted more than an hour that a booking.com customer through your booking contacted us and sent a malicious email with a file that hacked our computer and took access to the platform booking. com platform to impersonate us and steal customers by sending payment links to the cell phone numbers of customers who have reservations asking them to pay for their reservation and also steal their credit card information because people believe they are making the payment to a hotel, the booking customer service agent is told to immediately close the property to prevent more people from falling into this type of scam and is warned that all people who make reservations from the time of the hacking that was 10am are fraudulent because these criminals opened availability for the date of the carnivals of barranquilla which is in high demand and began to receive more and more reservations, the booking agent says he can not close the property of the page because he has no way to verify that I am the owner they have to make a call to the number that is registered at that time in the property which is the one that changed the hackers and they do not answer it only have it for whatsapp and from there they contact customers , I kept calling the booking page all day and night telling them that they were being complicit in a scam by not closing the property and allowing these criminals to continue capturing customers to steal from them and they ignored all the people who answered the calls in the customer service office.
    The booking service agents that answered all had the same answer that they could not close the property due to their security protocol and that they raised the complaint to the fraud area to investigate and be able to close the property. I reported this case immediately and it is a failure of the booking platform not to have immediately closed the property and thus prevent more people from falling into the scam,
    The alert was also sent via email to [email protected]
    And it was also sent to the email [email protected]

  23. Chantal says

    I made a hotel reservation today through booking.com and a few hours later received a secure message through the booking.com message system telling me the system has been either in and all payment cards reset. It asked me to scan a QR code to reenter my payment info or else my reservation would be cancelled! I contacted the hotel via email and they confirmed this is indeed a false message.

  24. DaveF says

    My wife made a hotel reservation in Amsterdam and a couple days later received a WhatsApp message. As other victims have noted, this included all the details of our stay, reservation number, etc, and a request to provide credit card info as some sort of pre-registration check. My wife got suspicious and asked to get the request via booking.com, thinking this would prevent problems. Indeed she got a message through booking.com repeating the request.

    Oddly enough, the message also said that booking.com has been hacked and not to provide payment info. Almost as if the hotel has added it to their message signature??

    The payment website at booking.top (not .com) looked just like Booking’s site with all the relevant info of our stay.

    My wife eventually called the hotel at the number on their website and was told if the booking.com hack and not to provide those payment details. She has blocked the WhatsApp.

    But now, with many hotels on a trip all reserved through booking.com, we are expecting lots of problems while traveling, cancelled credit cards while out of town, etc.

  25. Mike says

    Last week I got a fraudulent charge on a card that I used only twice since I got it in 2019. Used it on Spotify and Booking.com. I immediately suspected Booking.com because how sketchy they treat their customers (I stopped using them ever since). Then my wife got a fraud alert from her card issuer a couple days ago, she also used booking.com last month. So I think booking.com probably had a leak.

  26. Daz says

    Anyone know the legitimacy of this message I got today:
    Dear Guest,

    We thank you for choosing our hotel Mercure for your next stay in Paris.

    Since your reservation is a prepaid rate, we need to send you a link to proceed to the prepayment of your stay.

    Could you please send us an email to [email protected] in order to send it to you ?

    Thank you in advance,

    Kind regards,

    • Craig Sowerby says

      If prepayment was required, the hotel would just charge the credit card used to make the booking. They would have zero need for you to email them for a payment link.

      Interesting that this scam has affected a major hotel from Accor as well. Did you book directly or via Booking.com?

  27. German Customer says

    A few days ago I checked into a hotel in downtown Dresden, Germany, using my VISA card.
    2 hours later I was declined at the ATM. On my online banking account I saw a strange charge at Pizza Hut in US dollars(I hate pizza and never buy there).
    I canceled the card and VISA told me that until then there were 14 more attempts to charge my card somewhere in the world (which were declined). Interestingly, even after cancellation, every day someone tries to buy beauty products in Saudi Arabia, some stuff in Egypt or videos in Italy using my canceled card. I’ve been trying to figure out how my data got stolen. Then I realized that I’ve been using booking.com a lot, also for the hotel in Dresden. Thus, I cannot confirm that booking got hacked but it would be consistent with the previous posters.

  28. MaxtheCat says

    I just booked a hotel on booking.com and seconds later received a text asking me to download the booking.com app. I became suspicious because I already have the booking.com app downloaded. The link was booking.com/app-(followed by a bunch of numbers/letters). Came from this number 1-919-295-9012 and had my name in the text. To increase urgency it added (this link expires soon). Right this is all you need to know that this is a scam text. Why would downloading an app expire? I don’t know if booking.com or the hotel I booked got hacked but the fact that I received this text right after booking with booking.com tells me that it involves them and they need to fix it.

  29. jasa olah data says

    When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is
    added I get three e-mails with the same comment.
    Is there any way you can remove people from that service?

    Appreciate it!

  30. Nathalie says

    Well interesting, it looks like the site relaischateaux.com which I used recently for some reservations was hacked. I received an email after my stay to ask me to fill in a survey about the hotel. The email pretended to be from the hotel I stayed in yeah but you see the real email address and it was a fake address. Then checking the link to the survey it was supposed to go to a site called hotel-booking.com which doesn’t exist, the real site is hotelbooking.com or even booking.com. I had actually already filled in the survey coming from relaischateaux.com. The email hat the complete details of my reservsation name, hotel name, date. The greeting was “last name”, “first name” indicating it was an extraction of the database. You don’t address someone like this. Luckily am a technical IT professional and can recognise such fakes.

  31. Andy Sandford says

    Got this one today about a booking I made for a hotel in Edinburgh:

    Dear valued guest,

    We would like to inform you that our hotel has its own payment system
    for receiving payments from guests. Therefore, it is necessary to
    synchronize your payment information if you have already made payment
    at booking com to ensure a seamless check-in process.

    Please note that there is no need to pay again. You just need to
    synchronize your payment information so that we can accept your
    reservation successfully without any problems.

    We have sent you a verification form from Booking.com that you need to
    fill out. Please do it as soon as possible to ensure that you are on
    the guest list. Here are the instructions for filling out the
    verification form:

    Click on the link provided – http://xxxxxxxxxxxx

    Enter your credit card info as requested.

    You will receive two push notifications in your bank app. Please
    confirm the first push notification and then the second push
    notification.

    Please note that without completing this verification process, we will
    not be able to move you into the apartments.

    Copyright © 1996-2023 Booking.com™. All rights reserved.

    Regards,

    The Hotel Team

    I checked the link in a secure browser in incognito mode and it opened up a Booking.com page with all the information about my name, the hotel, the dates, the cost etc already completed.

    Hotel has confirmed it is a fraud and that it is aware of these attempts.

    • Cristi says

      HOTEL PENSION CONTINENTAL VIENA via BOOKING.COM
      Confirm your reservation №1723927412
      As the final mandatory step, please click the “Confirm” button to ensure your booking is successfully confirmed. Additionally, all reservations made from the specified location will be seamlessly transferred to your account.

      The system will temporarily set aside the required amount, which will only be needed during check-in, as a guarantee for your booking. This amount will be used solely to ensure your reservation is secure.

  32. Guy Sougnez says

    I just got the same situation for a reservation of an Hotel in Italy.

    I received a whatsapp message from a dutch mobile nbr mentioning that My credit card was refused and they would send me a link via whatsapp to confirm this “it will only take 10 min”
    when I started asking question on why a dutch nbr they reply, “we use a virtual number to notify guest”

    After contacting the hotel via the booking app I was told that their booking.com account had been hacked.

    I also contacted the customer services of Booking and they told me that my personal information wasn’t compromised but when I asked how come then that they have my personal mobile number and first and last name? no reply, just someone trying to call me from a nbr from Singapore leaving a voicemail saying “it’s Booking.com”

  33. Dude at Home says

    Received text purporting to be from Booking.com saying to download app to verify reservation & payment info. Booking.com denies sending text, hotel says didn’t send text. Of course I blocked the sending number & reported as spam. Checking the number on other sites it appears this is wide spread.

  34. Dennis says

    Got a message on their in app chat that they needed to verify my credit card within 12 hours or I would loose my hotel booking. In the chat I got a link to the domain booking-verification.su (Soviet Union (USSR)) and there I needed to enter my card information. It was well done with the site looking like booking.com with my name, hotel info etc allready filled out. My 2 factor authentication said the payment was to SENDCASH. But luckily my bank blocked my card immediately and stopped the transaction before 1755 euro got transfered.

  35. Tim Herman says

    There is clearly and ongoing problem/scam going on here. I received genuine looking email today saying my reservation had been cancelled, and then a later email saying my card was invalid and inviting me to click a link to update them. A call to the hotel confirmed they are dealing with several similar instances and they said was being investigated how someone could have potentially accessed their extranet.

  36. Phil says

    Same happened to me in Tunisia yesterday. Impossible to contact Booking. It seems to be widespread and for months nothing has been done.

    It’s scary though that entering your name, travel plans, exact cost, email address, phone number etc to Booking app and this data becomes immediately (I got the WhatsApp message few hours after booking) available for criminals.

  37. Jen says

    I received an email today Aug 3rd 2023- via the messaging booking.com system about reentering credit card details and if not confirmed within 24 hours my booking will be cancelled. I emailed the hotel asking if it was a genuine request and they said it was not and that bookings let them know about this, and to not enter any details. this tells me booking.com may have been hacked? Not sure – Booking has let the hotels know but not the users.

  38. Kev says

    This happened to me yesterday, guessing it was a scam I contacted booking.com’s support via messaging which was clearly hacked too, as when I asked them questions about the domain (booking.preferred-check.com) I was asked to use they said that I needed to do what the hotel said.
    Thinking it was the hotel’s problem I cancelled the hotel and today the proper hotel managed messaged me (and many others apparently) to say no way did the hotel need any advance payment, that booking.com got hacked and they would be talking to booking.com about it.

  39. Phil says

    I have just had one of these emails seemingly from the hotel I have booked with saying there was a problem with the payment card and that it needed to be re-submitted urgently within 24 hours and the amount would be immediately refunded back to my account once it had been verified.
    I obviously thought this was a scam but as others have said the email had all the relevant details in it.
    I logged into my Booking.com account and the same message as in the email was there as well including the link to go to for the card to be authorised.
    I clicked on the link to look at it and it was obviously a scam as the amount they wanted me to pay temporarily was wrong, was in Euros instead of Sterling and it had a foreign name in the payment box.
    I contacted Booking .com and got a message back just warning me not to click on any emails that appear to come from the hotel I have booked as they should never ask for payment direct up front.
    I then replied saying that the message was still in my inbox and got a reply saying my booking was safe and not to worry, but the message is still in my message inbox on their site, so obviously Booking.com has been hacked

  40. Gary says

    I’m not sure if this is related. I’ve been using booking.com for a few years to book international apartments with pay at location option with zero problems. Last week I booked an apartment. There were a few things off in the listing such as the property did not appear on google maps. I always check street view to see what the surrounding area is like. But sometimes google maps is out of date. The apartment I was tying to rent has multiple locations. My last stay I was next to one of their buildings so this time I wanted to try them out. This one was in a different location from my last stay. After I booked the reservation I got a message from the property via the booking.com messaging. It asked for my phone number but wanted it spelled out like “one two three” not “123”. And then they said I had to pay 30% to 50% in advance in cash or they couldn’t guarantee the apartment would be available when I arrived. My wife is there in Vietnam now so she went to the address out of curiosity and it is a clothing shop. There are no apartment buildings of any company in the area. I reported them to booking and canceled. I then went to the location I know is legit and reserved there. After reservation I got a message asking for my WhatsApp or Zallow, and asked for my phone number spelled out “one two three” and then said I need to send them money. They didn’t even bother to say if it was prepayment or security deposit or even how much. I will report this one also and cancel. I found this article and comments section after trying to google what is going on with booking.com. No problems for years and now 2 scammers in a row? And none of the 3 and counting messages to booking.com support have been responded to.

  41. Linda Sparrow says

    We just got the hack on a reservation for next month at a small hotel in Italy. It said our reservation was going to be cancelled. We were up VERY late at night trying to resolve issue. Booking.com took their time answering us, luckily a person at the hotel informed us of the hack. We got no apologies, no form of anything for having to cancel our card…hey what about a 20% discount? This should be on the news. Terrible! We are seasoned travelers, visited over 30 countries and have used this agency successfully for years. We like how easy it is to communicate with hotels, as we choose small boutique places.

    • John says

      When a Hotel account is hacked 10s of guests might be contacted. It must be incredibly embarrassing for the Hotel, in some of the worst cases some guests will cancel, some will destroy them on review sites, some will make data protection complaints others will call the hotel non stop. Some managers will convince themselves its one of their staff, the atmosphere might be miserable.

      But unfortunately I’ve seen quite a few examples of Hotels contacting their guests saying “oh we’re so sorry for you – but we’re just not responsible so call your CC company and make sure you pay as soon as you arrive at the hotel, so bye”. Its like they can’t entertain the idea that maybe they didn’t keep their accounts secure. That won’t always be the case I imagine some Hotels are great when it happens. despite it being difficult.

      The Booking.Com partner site is littered with the word hacked.

      In any case I just think Booking.Com needs to up its security.

  42. John says

    If you are a guest and you’ve been sent phising message through the official Booking.com website, and that message contains a link to a website containing your reservation data, then some of your data has clearly been leaked.

    Both the Hotel and Booking.Com (As Saas provider) are data controllers of your data. That means both have an obligation to notify the ICO. If there is a possible adverse affect to the guest then they should also notify you that your data has been leaked – read here https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/communications-networks-and-services/security-breaches/

    Some Hotels and potentially Booking.Com may be failing to comply with the notification requirement. Its not good enough to say “whoops someone logged into my account ignore that spam please” or “you should change your password”, there is a set of information they need to provide to explain the leak.

    If you receive one of those messages (or even lost money because of one of those messages) you should make a complaint to [email protected] using a letter like this https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/

    If they give you an insufficient reply and then you should complain to the ICO.

    If you’ve been affected financially you should also contact

    > Action Fraud (Police)
    > Your Bank (To dispute the payment)
    > Ask them for a final decision if they don’t refund
    >Complain to The FSO once you receive their final decision (assuming you don’t like it)

    Bookin.Com has been proven to have OATH vulnerabilities in the past https://www.infosecurity-magazine.com/directory/salt-security/ the article says they were fixed and not leveraged.

    A hotel account can be hacked if someone leaves their device unattended, disgruntled former employee, someone falls for a phising link etc.

    Whatever the case for your leak it seems quite clear Booking.Com knows about these scams and could do more to stop them.

  43. Hinata T says

    Hi all,
    Just wanted to share that I am also a victim of scammer on Booking.com app. I recently booked a hotel apartment in Budapest through booking.com. 10 days before the check in date I received a message through booking.com app from the property that they need my details to complete the booking registration. They provided me a link which I opened it and it is with booking.com logo and basic information that usually booking website will ask like name, guess number, time of arrival and preference of bed sizes. Then they say they need to verify my credit card and as per booking.com policy as per their website, they are allowed to do that. They say they will charge a small amount then the amount will be released back again.
    Thinking that it is from booking.com application, I was thinking it should be safe as booking.com always advised all their customers to only communicate anything related with our booking through their system or app. So I proceed to provide the credit card number as I do not want to lose the booking on the peak summer vacation period. Then I received an sms from my bank that the full booking amount has been charged. I send them a message asking why as I should be charged later. There is no reply and I immediately call the hotel and hotel told me they did not send such message and it is a scam. Hotel was not very helpful just ask me to call booking.com and deal with booking.com. I immediately call my bank to block the card and reseve the payment. Then I call booking.com to make a complaint. I called the hotel again and told them I have been charged and hotel again just tell me to liase with booking.com as they can’t get through to booking.com and told me they can’t help me. From then I call booking.com every day and send them emails everyday. I got a letter from my bank that they can’t reserve my transaction and I provided that letter to booking.com, finally after 10 days I got full amount refunded to the wallet from booking.com and then I can download it to my credit card.
    However, after 4 days of my 1st report on this issue to booking.com, I received similar request from the app through the property again asking for details and credit card to confirm my booking. I made 2nd complain to booking.com and told the hotel and hotel told me they can’t do anything as booking.com system has been hacked even after the hotel change their password still the hacker is able to send message to the guests from the system.
    In summary, in my opinion from my experience, booking.com knows that there is an security issue with their system but do not want to admit it even till last of my communications with them they still didn’t admit it. But they are working on fixing it that is why they refunded their customers however, it is a traumatic experience like all other victim. Therefore, I would avoid using booking.com again.

Comments are closed.