Booking.com Breach Gives Scammers Your Exact Travel Plans #cybersecurity #bookingcom #databreach

A traveler heading to Bali got a WhatsApp message with their real hotel name, check-in date, and confirmation number. They paid a scammer. This is what the Booking.com breach looks like in practice. On April 13, 2026, Booking.com confirmed that unauthorized third parties accessed guest booking information — names, emails, phone numbers, booking details, and private messages between guests and hotels. Booking.com says payment card data was not accessed. Security researchers believe the attackers compromised hotel partner accounts rather than Booking.com's own systems. Microsoft has identified a financially motivated group it calls Storm-1865 running this pattern — phishing hotel staff with fake Booking.com emails using a social engineering technique called ClickFix. Some travelers reported receiving scam messages with their exact booking details two weeks before Booking.com sent its notification. Sources: https://www.malwarebytes.com/blog/data-breaches/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/ https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday.