Is Your Booking.com Account Safe? Alleged Data Breach Exposes Users to Scams

If you’re planning a trip to a destination you’ve been longing to visit and you’re just about to book accommodation via Booking.com, keep your eyes peeled for scams. According to InsideFlyer, the world’s famous online marketplace for lodging reservations and other travel products has been hacked. As a consequence, millions of users’ data leaked, making them prone to more than perfect scams.

Reading Time: 4 minutes

has booking been hacked

Illustration: Milica Mijajlovic

We have all received an email from a Nigerian prince asking us to help him seize what legally belongs to him, promising a lush portion of his wealth in return. Normally, we were immediately aware that it was a swindle. However, some people believed that the Nigerian prince did exist. In 2018 only, the “prince” raked a whopping $700,000 and is still working hard on earning much more, but still not sharing his wealth as he promised. 

Though it’s utterly easy to identify such emails as scams and flag them as unwanted, people still fall prey to them. Luckily, it’s only a minority of naïve people. Imagine how many victims there would be if much slicker swindles had been coming from a prominent website.  

Well, let’s ask Booking.com for the exact information. Oh, wait, we can’t – they won’t care to reply. 

What’s going on with Booking.com?   

As per the blog post published on the Spanish blog InfoViajera on January 22 and nearly 100 reactions, Booking.com might have been hacked, allowing a huge amount of user data to leak. What’s even more curious, it’s nearly impossible to tell if something is off, as everything seems legit. 

So, what’s happening when you attempt to make a reservation via Booking.com?  

According to the user who shared his experience, once you book the preferred accommodation and pay with a credit card, you will receive a message via WhatsApp (mind you, a what’s app message). Here the sender informs you that the payment has been declined. The reason for the decline won’t be given, but the property, i.e., the sender will direct you to make your payment outside the official Booking.com website.  

has booking been hacked

Source: InfoViajera

Receiving such a message will automatically raise alarms in many users. But what might trick you into believing this is authentic and that something might be wrong with your payment is the fact that the message contains: 

  • Your full name and phone number 
  • The accommodation you are booking 
  • The exact date and amount of the reservation.  

Plus, given the fact that online credit cards can be occasionally declined indeed, particularly in some foreign countries, it’s more than easy to become a victim of this swindle.    

Other instances of the scam 

A Booking.com user reserved and paid for a two-night stay in Italy where they were supposed to reside in July 2023. All of a sudden, at the beginning of February 2023, the user got two emails. Judging by the header, the first email appeared to come from an authentic Booking.com domain, allegedly having been sent on behalf of the hotel in Italy. The email required the user to confirm his stay by clicking the non-existent “Confirm” button. It also informed them that the hotel would transfer all the reservations the user made to that account. Expectedly, the email contained all valid data like the hotel name, time of stay, and the reservation number.  

has booking been hacked

Source: Ars Technica

The second email also seemed to have arrived from Booking.com, again on behalf of the hotel. However, the header pointed out that the sender’s address was yandex.net. The second email contained the previously missing “Confirm” button. Having clicked on it, the user was redirected to a near-perfect copy of the genuine Booking.com webpage. It gave their name and the name of the hotel, the date of the stay, and the amount needed to be paid. They proceeded to make payment only to receive a WhatsApp message asking him if he needed a parking spot at the hotel. 

The user knew very well that they hadn’t shared any travel details online. This only implied that these emails arrived directly or indirectly from Booking.com. However, it’s still a mystery how scammers got hold of them.  

How long has this been going on? 

Seemingly, such frauds aren’t as fresh as we might think. Six months ago, a Reddit user tried to make a reservation, and exactly the same thing happened. He got a WhatsApp message claiming the payment was not accepted and received a link where he could make it. At first glance, the link seemed legit as it was seemingly coming from Booking.com. Fortunately, once the user clicked on it, he noticed a few red flags and abstained from proceeding with the payment. 

What’s even more odd, if you continue to dig deeper, you will come across another Reddit user who could have fallen prey to a Booking.com scam. So far, you might have learned how the swindle works – you make a reservation, pay for it, then receive a seemingly legit email from Booking.com stating there is a problem with your payment.  

The same thing happened to the user, with the exception that his payment was on hold. They were invited to click on the “Contact us” button, which further opened a chatbot that said the payment couldn’t be processed. In the chat, the user learned that the hotel was experiencing technical issues with the payment processor and for that reason, a traditional bank transfer was implemented.  

The user then received an invoice with the full amount to pay, with the instructions to wire the transfer to a bank located in Mexico. The catch here was that they had booked the accommodation at the hotel located on a completely different continent.  

What is Booking.com doing about this problem? 

To put it shortly, absolutely nothing. So far, there have been no official statements or warnings whatsoever, neither on the online travel agency’s official website nor any social media accounts.  

Besides the absence of Booking.com, what is disturbing here is that the pervasiveness of this swindle implies that Booking.com has been hacked, exposing a colossal amount of users’ data. Alternatively, it’s hotels and properties that have been hacked. Whichever is the case, the travel agency still doesn’t seem to bother to advise on what to do in such situations. The victims of the scam are left alone trying to get refunds for their (irrevocably) lost money. 

Speaking of which, what can users do when they fall prey to scammers? Their last resort is banks. Upon realizing they have been scammed, users can contact their banks, explain what happened, and hope for a refund. Whether they will receive it or not may depend on several factors, the primary one being the time of the payment. If you reported it too late, the bank might not be able to cancel or withdraw it.   

To protect yourself and your credentials, look for properties that let you book without a credit card. Instead of paying in advance, you can make payments when you arrive at the destination. Still, to even start the booking process, you will have to choose a payment method. If you’re paying by a credit card, you’ll need to provide the card number.  

"Ever tried. Ever failed. Never mind. Try again. Fail better."

[the_ad_placement id="end-body"]