On April 14, 2026, Booking.com confirmed that some of its customer data had gone missing. Names, email addresses, phone numbers, booking details, exchanges with hosts: all of this is now in the hands of scammers who have already launched phishing campaigns on WhatsApp and by email.
⚡ L’essentiel en un coup d’œil. Booking.com a confirmé le 14 avril 2026 une fuite qui touche un nombre indéterminé de clients : noms, emails, numéros de téléphone, adresses postales, détails de réservation et messages échangés avec les hébergeurs. Les infos bancaires n’ont pas fuité, mais des arnaques de phishing hyper-réalistes tournent déjà par email et WhatsApp. Ma règle : je ne clique jamais sur un lien reçu, je passe toujours par l’app Booking pour vérifier mes réservations, et je contrôle que l’expéditeur se termine bien par booking.com.
If you have booked a stay via Booking recently, read the following. It’s short and it could save you from having your account emptied.
In brief
- Booking suffered a leak affecting an undetermined number of customers
- Exposed data: name, email, phone, postal address, bookings, messages with hosts
- No banking information compromised according to the company
- Highly credible phishing campaigns are already circulating
- Booking has reset the PIN codes of affected bookings
What happened at Booking.com
On the weekend of April 12-13, the affected customers received an email from Booking notifying them of the leak. Spokesperson Sage Hunter confirmed the incident: “We recently noticed suspicious activity involving unauthorized third parties being able to access some of our customers’ booking information. After discovering the activity, we took steps to contain the issue.”
In detail, here is what leaked: full name, email address, phone number, postal address, booking details, and especially the message exchanges between travelers and accommodations. It is this last point that makes the scams formidable. The scammers know where you are going, when, with which hotel, and for how much. A fake email becomes very convincing under these conditions.
booking.com‘);
} else if(domain.indexOf(‘booking’) >= 0){
emailScore = 3;
reasons.push(‘⚠️ Le mot “booking” est dans le domaine mais ne se termine PAS par booking.com. Piège classique’);
} else {
emailScore = 3;
reasons.push(‘⚠️ Le domaine ne contient pas booking.com’);
}
var total = emailScore + typeScore;
resultBox.style.display = ‘block’;
var bg, color, verdict;
if(total >= 5){
bg = ‘#FFEBEE’; color = ‘#B71C1C’;
verdict = ‘🚨 Risque élevé. Ne clique sur aucun lien, ne réponds pas. Supprime le message et signale-le à signal.conso.gouv.fr.’;
} else if(total >= 3){
bg = ‘#FFF8E1’; color = ‘#E65100’;
verdict = ‘⚠️ Risque modéré. Ne clique pas sur les liens. Va directement sur l’app Booking pour vérifier ta réservation.’;
} else {
bg = ‘#E8F5E9’; color = ‘#2E7D32’;
verdict = ‘✅ Email probablement légitime. Mais garde toujours le réflexe : pour toute action bancaire, passe par l’app officielle.’;
}
resultBox.style.background = bg;
resultBox.style.color = color;
resultBox.innerHTML = verdict + ‘‘) + ‘
Booking emphasizes one point: banking data was not affected. The PIN codes of the affected customers’ bookings have been reset, and the new codes were sent by email along with the leak notification.
Scams already circulating
💡 Petit fait méconnu
Booking.com emploie plus de 21 600 personnes et génère environ 10 milliards de dollars de revenus annuels. Le site affiche plus de 30 millions d’hébergements référencés dans le monde, dont environ 400 000 hôtels. Cette masse rend la plateforme particulièrement attirante pour les cybercriminels : un seul accès compromis côté hôtelier peut exposer des milliers de clients d’un coup.
This is where it gets tricky. Affected travelers receive messages that seem to come directly from Booking or their host. The tone is just right. The cited information is accurate (hotel name, dates, amount). Sometimes even the confirmation number. The kind of email you would read without suspicion after a day of work.
| Signal in the email | Legitimate Booking email | Phishing attempt |
|---|---|---|
| Sender domain | Ends with @booking.com | Contains “booking” but ends elsewhere (booking-support.com) |
| Request for banking info | Never | Often the goal of the message |
| Employee tone | Neutral, informative | Urgent: “24h”, “action required”, “cancellation” |
| Link present | Leads to an official Booking domain | Redirects to a site that mimics the interface |
| Sending channel | Email or in-app messaging | May arrive via WhatsApp or SMS |
The goal is always the same: to make you click on a link to “confirm your payment,” “update your banking information,” or “avoid the cancellation of your reservation.” Once on the fake site, you enter your card details, and that’s it. Scams circulate by email but also via WhatsApp, which is rarer and more unsettling.
✅ Ce qui joue en ta faveur
- Les codes PIN des réservations concernées ont été réinitialisés par Booking
- Les données de paiement n’ont pas fuité selon l’entreprise
- Le service client Booking est dispo 24h/24 dans plusieurs langues pour lever un doute
⚠️ Ce qui te rend vulnérable
- Les escrocs ont ton nom, ton hôtel, tes dates : les faux mails sont ultra-crédibles
- Les arnaques arrivent aussi par WhatsApp, un canal perçu comme plus fiable
- Le phishing peut continuer plusieurs mois après la fuite initiale
The signs that should alert you
- An email asking you to enter your banking information
- A request for a transfer to an unrecognized account
- An urgent tone: “action required within 24h,” “imminent cancellation”
- Links that do not point exactly to booking.com
- A strange sender (booking-support@… instead of the official address)
How to recognize a genuine Booking email
Booking reminds you of a simple but vital point: the platform will never ask you to enter sensitive information or make a bank transfer. Never. If you receive such a request, it is definitely a scam, no matter how real the email looks.
Another rule: official Booking emails always come from an address that ends with booking.com. No matter what precedes it. If you see booking.com-support@other-domain.com, it’s a trap. If you see support@booking.com, it’s okay. The classic trap is an address that contains “booking” in the middle but ends elsewhere. Always check after the last dot.
🎒 Retour perso
J’ai reçu un email de “Booking” il y a quelques mois pour une réservation à Zagreb, avec le vrai nom de l’hôtel et les bonnes dates. Le message demandait de “reconfirmer” mes coordonnées bancaires sous 24h sinon la réservation sautait. Tout semblait parfait sauf un détail : l’expéditeur finissait par @booking-secure-payments.net, pas par @booking.com. J’ai ouvert l’app Booking direct, aucune alerte, tout était en ordre. Depuis, je ne regarde plus que l’adresse complète de l’expéditeur avant de lire quoi que ce soit.
What you should do now
If you have a current or recent Booking reservation, here are some simple reflexes to have.
Check the details of your reservation directly on the Booking app or website, not via a link received by email. If something has really changed, the info will be in your official account. No need to click on a link.
🚫 Erreur courante
Beaucoup pensent qu’un email est sûr dès qu’il affiche “Booking.com” comme nom d’expéditeur. Grosse erreur. Le nom affiché se falsifie en deux clics côté envoyeur, c’est du pur décoratif. La seule chose qui compte, c’est l’adresse complète après le @ : elle doit se terminer par booking.com, sans aucun suffixe. Sur mobile, clique sur le nom de l’expéditeur pour voir l’adresse réelle : c’est souvent là que le piège se révèle.
Change your Booking password if you haven’t done so in a while, and activate two-factor authentication. It doesn’t protect against data already leaked, but it locks access for the future.
Monitor your bank statements in the coming weeks. Even if Booking says that payment data has not leaked, a successful fake email can still make you enter your information elsewhere. Any suspicious movement, block it immediately.
If you receive a suspicious message, do not click. Report it to signal.conso.gouv.fr or directly to Booking via the app. And delete it.
📋 Checklist si tu as réservé sur Booking récemment
- Ouvre l’app Booking et vérifie que tes réservations sont intactes
- Change ton mot de passe et active la double authentification
- Surveille ton relevé bancaire pendant au moins 2 mois
- Marque les emails “Booking” suspects comme spam sans cliquer
- Signale les tentatives à signal.conso.gouv.fr
- Préviens tes proches qui voyagent : la fuite peut les concerner aussi
The checklist to keep in mind
- Never enter your banking information from an email link
- Verify that the sender ends with booking.com
- Use the official app to verify a reservation
- Activate two-factor authentication on your account
- Report suspicious messages rather than ignoring them
This is not the first time
Booking has already been in the spotlight for similar stories. In 2018, hackers compromised employee credentials of hotels in the United Arab Emirates, affecting the data of more than 4,000 customers. The company was fined 475,000 euros for notifying the Dutch regulator late about the incident.
🗓️ Plan d’action sur 7 jours
Jour 1 : Change ton mot de passe Booking et active la 2FA (double authentification).
Jour 2-3 : Passe en revue les emails récents avec “Booking” dans l’expéditeur. Vérifie chaque domaine complet.
Jour 4-5 : Surveille tes relevés bancaires. Un débit inhabituel, tu fais opposition.
Jour 6-7 : Active les alertes SMS de ta banque pour tout paiement en ligne. C’est le filet de sécurité le plus efficace.
The modus operandi actually resembles a lot what we’ve seen in recent years on Booking: the hackers do not attack the platform directly. They target partner hotels via phishing emails, obtain employees’ access to Booking’s back office, and extract customer data from within. As a result, travelers trust the email that seems to come from their accommodation, because technically it really does.
In recent news, the Booking leak comes just days after that of Basic-Fit, which affected about 200,000 people in the Netherlands alone. The two cases are unrelated, but scammers take advantage of the cumulative effect: the more “data breach” notifications you receive, the more you lose your vigilance. And that’s exactly where they click.
Beyond this case, a few habits are worth exploring before your next departure. If you are still hesitating between several platforms for your next booking, our comparison of booking sites can guide you towards those that best secure your payments.
Before packing your suitcase, a quick look at the essentials to prepare often prevents the forgetfulness that spoils a trip. And for stays in Europe or beyond, taking out appropriate insurance remains one of the most cost-effective habits, because online scams are just one of many risks.
Stay cautious without becoming paranoid
The truth is, Booking remains a practical tool widely used by millions of travelers. This leak is a problem, not a reason to stop everything. The real challenge is to adopt a few simple habits: verify the sender, never enter your banking information from an email, use the official app at the slightest doubt.
Booking customer service is available 24/7, in several languages, if you have any doubt about a message received. Better three minutes on the phone than an emptied credit card. Share this with those who have planned vacations this summer, they will thank you.
