In The Event Of
Get started free
B

Booking.com Data Breach 2026:
What You Need to Know

On 13 April 2026, Booking.com confirmed that unauthorised third parties accessed guest data through a partner system. Names, emails, phone numbers, home addresses and reservation details were exposed. Here is what happened and steps you can take.

Disclosed:13 April 2026
Records affected:Undisclosed
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Booking.com Breach Unfolded

Early 2026

Threat actors tracked by Microsoft as Storm-1865 ran a ClickFix phishing campaign against Booking.com hotel partners, tricking hotel employees into installing malware disguised as a computer fix. The attackers used the compromised partner accounts to access guest reservation data through legitimate channels.

13 April 2026

Booking.com publicly confirmed that unauthorised third parties accessed guest data via compromised hotel partners and began notifying affected travellers and data protection authorities. The company stated that payment-card primary account numbers (PANs) and financial information were not exposed.

Mid-late April 2026

Independent researchers and outlets including TechCrunch, Help Net Security and Malwarebytes Labs reported the stolen data already in active use for reservation-hijack scams: criminals contacting guests with real booking details (property, dates, confirmation numbers) and asking them to “verify” a card or pay an outstanding balance via a malicious link.

Affected travellers received an email with the subject line referencing "Important security information about your Booking.com account".

Source: Booking.com Security & Trust

What Was Exposed

Personal Data Leaked in the Breach

According to Booking.com, the affected partner system held guest contact and reservation information. Payment-card primary account numbers (PANs) were not stored in the affected system.

Data TypeRisk LevelWho Was Affected
Full nameHighAffected Booking.com guests with active reservations
Email addressHighAffected Booking.com guests with active reservations
Phone numberHighAffected Booking.com guests with active reservations
Home/billing addressHighSubset of affected guests (where stored at booking)
Reservation detailsMediumAffected guests, including check-in/out dates, property names and confirmation numbers
Loyalty / Genius statusLowSubset of affected guests with Genius accounts

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Reservation context (dates, property, confirmation number) is what makes this breach particularly useful for travel-themed phishing.

✅ Confirmed NOT Exposed

Booking.com has stated that full credit-card numbers (PANs), CVV/CVC values and account passwords were not stored in the affected system. Booking.com account login was not compromised.

Company Response

What Booking.com Did

“We are committed to the security of our customers' data. We have notified the relevant authorities and are contacting affected guests directly.”
Booking.com statement, 13 April 2026

Actions Taken by Booking.com

  • Isolated the affected partner system on detection
  • Notified data protection authorities in jurisdictions where affected guests reside
  • Began emailing affected travellers with details of the specific fields exposed
  • Engaged third-party cyber forensics specialists to review partner access controls
  • Published guidance for guests on identifying phishing impersonating Booking.com
Booking.com SecurityOAIC: Notifiable Data Breaches

What Now?

Steps You Can Take After the Booking.com Breach

The biggest risk from this breach is targeted phishing using your real reservation details. The combination of name email phone number and booking context gives scammers everything they need to impersonate a property or Booking.com support convincingly.

Booking.com & Travel Accounts

Your reservation details were exposed. Other travel and accommodation accounts may use the same email.

Secure your Booking.com account

~5 min
Update your Booking.com password and enable two-factor authentication where available. Review the list of payment methods stored on your account and remove any cards you no longer use. Check the 'sign-in activity' or device list for any unfamiliar logins.
Go to Booking.com account

Review other travel and loyalty accounts

Where the same email and password combination has been used across Airbnb, Expedia, hotel chains, or airline loyalty programmes, consider updating credentials on those accounts as well. Credential reuse remains one of the most common ways a single breach leads to broader exposure.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on email accounts associated with the breach is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these can be exploited to silently intercept communications.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email address. When that email is exposed in a breach, understanding which services are connected is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

Identity Protection

Name + address + phone is enough for travel-themed identity fraud.

Watch your card statements closely

~10 min
If you used a card on Booking.com, monitor recent statements and set up real-time transaction alerts where available. Scammers sometimes attempt small 'test' transactions before larger charges, so even a $1 unfamiliar charge is worth flagging.

Set a SIM lock or port-out PIN

~10 min
Where phone number was part of the exposed data, contacting the relevant mobile carrier to set a port-out PIN is a practical safeguard. SIM-swap fraud can be used to intercept verification codes and bypass MFA on other accounts.
Telstra security

Monitoring and Reporting

Resources for breach response in Australia and the EU.

Stay alert for 'property contacted me' phishing

Exposed reservation detailslet criminals impersonate either Booking.com support or the accommodation provider itself. Never pay an “outstanding balance” via a link in an email or message; always open Booking.com or the official app directly to verify any request.

Contact IDCare or report to Scamwatch

IDCare (1800 595 160) is Australia's national identity and cyber support service. Reporting to Scamwatch helps authorities track travel-themed scams targeting Booking.com customers.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

Compound Risk: Booking.com Plus Other Travel Breaches

Booking.com is the latest in a string of travel-industry incidents. If your email also appeared in earlier travel breaches, the cumulative profile builds a much richer target for fraud.

Why this matters

The Booking.com breach exposed names, emails, dates, addresses and reservation details. Paired with passport numbers from the Eurail breach, frequent-flyer details from Qantas, or hotel-stay history from Marriott, an attacker can construct a surprisingly complete travel identity that defeats common identity-verification questions.

  • Eurail (2026)300K+ records - passport numbers, names, dates of birth
  • Qantas (2025)5.7M records - name, email, date of birth, phone
  • Marriott / Starwood (2018)500M records - name, address, passport numbers
  • Optus (2022)9.8M records - passport, licence, Medicare numbers

If your email appears in two or more travel breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Booking.com Breach FAQ

Sources

  1. TechCrunch: "Booking.com confirms hackers accessed customers' data" (13 Apr 2026)
  2. Help Net Security: Booking.com data breach: Customer reservation data exposed
  3. Malwarebytes Labs: Booking.com breach gives scammers what they need to target guests
  4. Booking.com: Security and trust at Booking.com
  5. European Data Protection Board guidance on personal data breaches
  6. OAIC: Notifiable Data Breaches Scheme (Australia)
  7. OAIC: What is personal information? (Privacy Act 1988 categories)
  8. OAIC: Australian Privacy Principles

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Booking.com or its parent Booking Holdings Inc. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.