Booking.com, the travel booking company, has confirmed that hackers may have accessed customers’ personal information, including names, email addresses, phone numbers and booking details, in a breach the company disclosed to users this past week.

The company said on Monday that unauthorised third parties may have been able to access information tied to past or upcoming reservations. In an email sent to affected users, Booking.com said it had detected “suspicious activity affecting a number of reservations” and had taken action to contain the issue.

The company said the information that may have been accessed included booking details, contact information associated with reservations, and “anything that you may have shared with the accommodation”. It said customers’ financial information was not accessed from Booking.com’s systems. Booking.com also said it had reset the PIN numbers connected to affected reservations as a precaution.

The mass email disclosure follows multiple reporting confirming the breach, including reports from The Guardian and TechCrunch. 

The breach itself follows earlier incidents of security risks affecting hotel systems linked to Booking.com. In 2024, TechCrunch reported that hackers had infected several hotels’ computers with consumer-grade spyware, also known as stalkerware. In one case, a victim who was logged in to their Booking.com administration portal had their screen captured by the pcTattletale spyware.

Booking.com has not said how many customers were affected by the latest incident.