Travel-site breaches: how to protect your bookings

What actually happens after a travel breach

A travel-site breach is rarely about emptying your account on the travel site itself. The site is the doorway, not the prize. Three things usually follow.

First, your reservation details — destination, dates, hotel name, your name and phone — get sold or shared on criminal forums. Within days, you may receive an email that looks like it's from your booked hotel asking for a 'card re-authorization' before arrival, or a WhatsApp message asking you to confirm your booking via a fake link. The details are real, so the message looks legitimate.

Second, if your password was reused anywhere else (Gmail, Netflix, your bank), credential-stuffing bots will try those credentials within hours. Most leaked credential lists are tested against thousands of services automatically.

Third, your saved payment method on the breached site may be used or its details sold. Even if the site stored cards 'tokenised,' the stored billing address, name, and last four digits are enough to social-engineer your bank's customer service.

The 'fake hotel email' scam — what to watch for

This is the most common follow-up scam after a travel-site breach. The email arrives a few days before your stay, looks like it's from your hotel, references your real booking, and asks you to 'pre-authorize' your card or 'verify' your reservation by clicking a link.

Tell-tale signs: the link domain doesn't match the hotel's real domain (often a slightly-off look-alike like 'marriott-secure-checkin.com'). The email arrives outside hotel business hours. The 'verification' page asks for your full card number, CVV, and expiry — a hotel would never need all three.

Defence: hotels do not collect card details by email. If your booked hotel needs anything, call the number on their official website (not the number in the email). Treat every payment-related travel email as suspicious until verified out-of-band.

Use a virtual card for every travel booking

A virtual card is a one-time or merchant-locked card number generated by your bank. The actual card number stored at the merchant is useless if the merchant is breached.

Most major banks now offer this for free: in the US, Capital One, Citi, and Bank of America have virtual cards. In India, ICICI and HDFC offer 'iMobile virtual cards' or similar. In the EU, Revolut and most challenger banks offer single-use cards in-app.

When booking, generate a fresh virtual card. Set a spending limit equal to your booking amount. After the trip, delete or disable the card. If the travel site is later breached, the stored card is useless to anyone.

Password hygiene for travel accounts

The single biggest amplifier of a travel breach is password reuse. If your Booking.com password was 'Vacation2024!' and you used the same password on Gmail, an attacker walks straight into your inbox.

Use a password manager. Bitwarden, 1Password, and Proton Pass all have free tiers sufficient for personal use. Generate a unique 16-character random password for every site.

Enable two-factor authentication on the travel account. Most travel sites now support TOTP (authenticator app) or SMS. TOTP is meaningfully better than SMS — SIM swap attacks routinely defeat SMS 2FA.

On Gmail and your password manager itself, use phishing-resistant 2FA — a passkey or hardware key. These are the recovery channels for every other account; they deserve the strongest protection you can deploy.

What to do RIGHT NOW if you used Booking.com recently

Change your Booking.com password to something unique. Use a password manager to generate it.

Reset the reservation PIN if Booking.com prompted you (they're doing this automatically for affected accounts).

Check your email for any 'hotel' messages about your bookings. Verify any suspicious one by calling the hotel on its official number.

Watch your card statement for unfamiliar small charges (fraudsters often test with $1 transactions before larger ones).

If you reused your Booking.com password anywhere else — change those too, today.

Enable 2FA on Booking.com under Account → Security.

Travel privacy beyond bookings

A few extra habits that pay off:

Use a VPN on hotel and airport Wi-Fi. Even with HTTPS everywhere, your DNS lookups can leak which sites you visit.

Disable auto-connect to known SSIDs. Attackers run rogue 'Hotel_WiFi' or 'Airport_Free' networks at airports waiting for phones to auto-join.

Take a 'travel laptop' if you can — fewer apps, no saved passwords for sensitive accounts. If lost or seized at a border, less is exposed.

Don't post real-time location on social media during travel. 'I'm at JFK!' tells anyone watching you're not at home and which security gate you'll be at.

Frequently asked questions

Is Booking.com safe to use after the breach?

Booking.com itself is patching the vulnerability and resetting affected PINs. Continued use is reasonable if you change your password, enable 2FA, and use a virtual card going forward. The lesson is operational, not an indictment of the platform.

Should I cancel my upcoming hotel reservation?

Probably not — cancelling and rebooking elsewhere doesn't help if the data is already exposed. Better: keep the reservation, but call the hotel directly (using their official phone number) to confirm details and warn them of any 'urgent payment' emails arriving in your name.

What if I already paid for a fake 'pre-authorization' link?

Contact your bank immediately and dispute the charge. If you used a credit card, you have stronger fraud protections than debit. File a report with the police if a substantial amount was lost. Reset the password on the breached account and any account using the same password.

Will my passport details have been leaked?

Booking.com generally doesn't store passports for hotel bookings, only for some flight bookings. If you used the platform for flights, treat your passport number as compromised — watch for tax-fraud or identity-fraud signs over the next year.

Should I trust other travel sites now?

All major travel sites are high-value targets. Apply the same hygiene everywhere: unique passwords via a manager, virtual cards for bookings, 2FA on the account, scepticism of any 'urgent' email asking you to click a link or share card details.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides