Around 13 April 2026 Booking.com began notifying customers that unauthorized third parties had accessed guest reservation data — not by breaching Booking.com directly, but by compromising hotel partner accounts (researchers point to ClickFix phishing of hotel staff, attributed to a group tracked as Storm-1865). Exposed data included booking details, names, email and physical addresses and phone numbers; financial information was not accessed. Criminals quickly used the details in convincing WhatsApp and SMS phishing referencing guests' real hotel, dates and booking references. We cover third-party and supply-chain risk and how to spot these scams.

Worried about partner and supply-chain acce ...