Booking.com has confirmed in a statement to BleepingComputer that hackers accessed some users' data from booking information associated with their reservations.

The company took immediate action, forced PIN resets for existing and past reservations, and informed impacted users directly via email.

Booking.com is one of the largest online travel platforms in the world, allowing users to book accommodation, flights, car rentals, airport taxis, and travel experiences. The service acts as a middleman between travelers and hospitality providers.

As a major player, the service lists millions of properties worldwide and handles hundreds of millions of bookings per year.

Over the weekend, multiple users reported receiving emails from the official [email protected] address, warning of a cybersecurity incident that may have exposed personal information to unauthorized parties. The compromised data types include:

• Full names
• Email addresses
• Postal addresses
• Phone numbers
• Communications shared with the property providers

The same notification included an updated PIN for a given reservation number, and urged users to be cautious of suspicious emails and phone calls, reminding them that the service will never ask for sensitive information or bank transfers.

"At Booking.com, we are dedicated to the security and data protection of our guests. In that spirit, we're writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation," reads the company's notification.

Caution is also advised when receiving emails that appear to come from the booked property or Booking.com itself, as the service recommends not clicking any links in such messages.

However, users who received these messages did not receive alerts in the Booking.com app, creating confusion about their legitimacy.

Responding to our requests for comment and information about the incident, Booking.com’s communications lead, Sage Hunter, confirmed the security breach incident via the following statement:

“At Booking.com, we are dedicated to the security and data protection of our guests. We recently noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests” - Sage Hunter, Booking.com

The company did not answer our questions about the number of impacted users, but assured us that everyone will be notified individually. The company also underlines that customer support services in multiple languages are available 24/7.

Some users on Reddit reported over the weekend that they are being targeted by scammers who appear to have private reservation information. However, it is unclear if these reports are related to the latest security breach that Booking.com disclosed.