A data breach affecting global travel platform Booking.com is being linked to a new wave of sophisticated scams targeting customers, as cybersecurity experts warn of increased risks and the company faces criticism over its response.

I have been a user of Bookings.com for many years and despite what is a major hack the Company has not only failed to communicate with me they have a so called ‘Security’ system that makes it impossible to change your password.

The breach, which exposed customer information including names, email addresses, phone numbers and booking details, has enabled fraudsters to carry out so-called “reservation hijack” scams. Criminals are reportedly using the stolen data to impersonate hotels and contact customers with convincing messages designed to extract payments.

Booking.com, owned by US-based Booking Holdings Inc., confirmed it had detected “suspicious activity” affecting a number of reservations and said it acted quickly to contain the issue. The company maintains that financial information was not accessed.

“We recently noticed suspicious activity affected a number of reservations and we immediately took action to contain the issue,” the company said in a statement to the BBC.

However, the Dutch-based platform has declined to disclose how many customers were affected or which regions were impacted.

Cybersecurity firm Norton says the breach significantly increases the effectiveness of existing scams. “Reservation hijack scams have been around for some time, but this new data makes them much more dangerous,” said Luis Corrons, Norton’s security evangelist. “Criminals can now reference real properties, travel dates and contact details, making the scam feel like routine customer service.”

Customers have reported receiving suspicious communications in the wake of the breach, with some contacting media organisations to raise concerns. Experts warn that the exposed data could allow scammers to target victims with highly personalised phishing attempts.

Booking.com has advised users to remain vigilant, stating it will never request credit card details via email, phone, messaging apps or text, nor ask for payments that differ from confirmed booking policies. The company says it has updated reservation PINs and is contacting affected customers.

The incident also raises concerns for accommodation providers, particularly in Australia, where Booking.com systems are often integrated into property reservation platforms, potentially extending the scope of exposure.

Security experts say the speed at which phishing campaigns have followed the breach suggests a more coordinated threat. “When a breach at a platform the scale of Booking.com moves from data exposure to active phishing campaigns within days, it signals something more deliberate,” said Darren Guccione, chief executive of Keeper Security.

Booking.com, one of the world’s largest travel services with nearly seven billion check-ins recorded since 2010, has previously acknowledged that its platform is a frequent target for scammers. Earlier incidents involved hackers gaining access to hotel accounts to send fraudulent messages to customers.

The latest breach marks a shift, with attackers now able to target users directly using legitimate booking data, increasing the likelihood of successful fraud.

Authorities and cybersecurity experts are urging customers to verify any payment requests directly with accommodation providers and to avoid sharing sensitive information through unsecured channels.