Booking.com has confirmed that unauthorised third parties accessed some customers' booking information, including names, email addresses, phone numbers, and details shared with accommodation providers. Payment-card information was reportedly not involved. The more pressing concern — flagged by the company and by the security reporting that followed — is how accurate booking data can be turned into convincing travel scam messages.
Booking.com confirms unauthorised access
The breach was confirmed publicly on 13 April 2026, in reporting by TechCrunch. Spokesperson Courtney Camp said the company had "noticed some suspicious activity involving unauthorized third parties being able to access some of our guests' booking information," and that on discovering it Booking.com "took action to contain the issue" and updated the PIN codes on affected reservations.
The company declined to say how many customers were affected and did not disclose how the access occurred. Its own press room carried no statement on the incident as of publication.
What customer data was involved
According to Booking.com, the accessed information included:
- Names
- Email addresses
- Phone numbers
- Booking details
- Information customers had shared with their accommodation
The company said payment-card information and physical addresses were not accessed. That limits the direct financial exposure from the breach itself — the risk lies in what can be done with the booking data that was taken.
Why booking details matter
Stolen names and card numbers are a familiar problem. Accurate booking details are a subtler one. A message that cites the correct property, dates, and guest name reads as legitimate, which is exactly what makes follow-on scams effective.
BBC News reported a wave of "reservation hijack" scams tied to the breach. The pattern is consistent: a fraudster posing as the hotel or platform sends a message referencing a real reservation, then introduces a problem that requires action — a fake payment request, a cancellation warning, a booking-verification prompt, a room-upgrade offer, or an urgent deposit. Because the underlying details are correct, the request clears the recipient's initial suspicion.
Booking.com's response
Booking.com said it contained the issue, reset PIN codes on affected reservations, and notified the customers involved. It advised users to be cautious with unexpected messages and to verify any request through official channels. The company reiterated that it would never ask for payment-card details by email, phone, SMS, or WhatsApp.
Why this matters for Maldives travel
Maldives trips tend to involve more pre-arrival contact than most destinations: high-value stays, seaplane or speedboat transfer arrangements, deposits, arrival timing, and back-and-forth between travellers, resorts, agents, and booking platforms. That volume of legitimate messaging is precisely the cover a scam message hides behind. The breach was not Maldives-specific, but the verification habit it calls for is worth more here than on a simple city booking.
How travellers can verify suspicious requests
- Check messages inside the official Booking.com app or website rather than acting on an email or text.
- Do not click unexpected payment links.
- Verify unusual requests directly with the hotel or resort using contact details from its official website or your original confirmation.
- Verify any unexpected request for passport details, payment details, or deposits before sending anything.
- Be cautious about moving payment conversations to unofficial WhatsApp numbers or email addresses unless you have confirmed they are genuine.
The incident is a reminder that travel-booking security now extends beyond passwords and payment cards. For travellers, the safest response is to treat unexpected booking messages with caution and verify requests through official channels before taking action.
A message that cites the correct property, dates, and guest name reads as legitimate — which is exactly what makes follow-on scams effective.
