Hundreds of Dutch travelers defrauded as hackers hijack Booking.com accounts
A major security breach at Booking.com has left hundreds of Dutch travelers defrauded, as hackers gained access to hotel accounts and sent fake messages to guests, de Telegraaf reports.
The platform confirmed it has addressed the issue and strengthened security, but the number of victims continues to rise. Hackers can take over official hotel accounts on Booking.com and send messages to guests through the app. These messages often claim that a deposit was not received and direct the guest to a payment link. Victims who follow the instructions end up transferring money directly to criminals.
Hackers can also gain access to booking contact details, such as phone numbers and email addresses, once they compromise a hotel account. In some cases, the criminals contact guests via WhatsApp or email, posing as the hotel.
“These messages look extremely convincing,” ethical hacker Sijmen Ruwhof told de Telegraaf. “Criminals use AI tools to replicate hotel emails, signatures, logos, and other recognizable details almost perfectly.”
The fraud has surged sharply in recent years. In 2024, the Dutch Fraud Helpdesk received 89 reports totaling nearly 25,000 euros in losses. In 2025, the number more than doubled to roughly 200 victims, with 65,400 euros lost. Early 2026 reports indicate continued activity. The United Kingdom, France, and Singapore have also experienced thousands of victims.
Ruwhof explained multiple ways accounts can be compromised. “Hotels have accounts with usernames and passwords. Because of the vast number of data leaks, lists of billions of leaked passwords circulate on the dark web. If a hotel doesn’t use two-factor authentication and reuses a leaked password, a fraudster can relatively easily access all customer information.”
He added that criminals often pose as guests and send phishing messages with attachments containing malware. Once opened, the malware allows them to take control of the hotel account. Some fraudsters also create fake Booking.com websites with similar domain names and trick hotels into logging in.
A Booking.com spokesperson said, “We have seen such attacks happening since 2023. Many major platforms are struggling with this issue. Our security has actually improved. In our data, the number of victims is decreasing. People are just more willing to report fraud today.”
The platform advises travelers to follow the booking confirmation strictly, which lists exact payment methods and schedules. “Any messages with payment links, whether via the app or WhatsApp, should be treated with suspicion. If in doubt, contact the hotel or our helpdesk directly,” the spokesperson said. Booking.com also said it assists customers in recovering lost funds when possible.
