Booking.com Confirms Hackers Accessed Customer Data: What Travelers Need to Know

The global travel giant Booking.com has confirmed a significant Booking.com data breach that may have exposed the personal information of its customers. The company, which handles millions of hotel and home reservations worldwide, acknowledged the incident on Monday after affected users began sharing notifications online.

This breach is a stark reminder that even the most trusted platforms can fall victim to cyberattacks. If you’ve recently booked a trip through Booking.com, here’s what you need to know about the compromised data and how to stay safe.

What Information Was Exposed in the Booking.com Data Breach?

According to the official notification sent to customers, hackers potentially accessed names, email addresses, phone numbers, and booking details. The company also warned that any information shared with the accommodation—such as special requests or arrival times—may have been compromised.

However, Booking.com assured customers that financial information, including credit card numbers and payment details, was not accessed in this incident. Physical addresses were also not taken, according to a company spokesperson.

How Did the Attack Unfold?

The breach first came to light when a Reddit user posted a notification they received from Booking.com. The user told TechCrunch that they had received a phishing message via WhatsApp two weeks earlier, which included their booking details and personal information. This suggests that hackers are now using the stolen data to launch targeted phishing attacks against customers.

Booking.com spokesperson Courtney Camp stated that the company noticed “suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information.” The company responded by updating the PIN numbers for affected reservations and informing customers directly.

Building on this, the company declined to disclose how many customers were impacted, leaving many travelers in the dark about the scale of the breach.

How to Protect Yourself After the Booking.com Breach

Watch Out for Phishing Scams

Phishing attempts are the most immediate threat following a data breach. Hackers may send emails or messages pretending to be from Booking.com, asking you to click links or provide additional information. Always verify the sender’s address and avoid clicking on suspicious links. For more tips, check out our guide on how to spot phishing emails.

Update Your Passwords

Even if your password wasn’t directly compromised, it’s wise to change your Booking.com account password and any other accounts that use the same credentials. Enable two-factor authentication for an extra layer of security.

Monitor Your Accounts

Keep a close eye on your bank statements and credit reports for any unusual activity. If you receive unsolicited messages asking for personal details, report them to Booking.com immediately.

What This Means for Online Travel Security

This incident is not an isolated case. In 2024, TechCrunch reported that hackers had infected hotel computers with consumer-grade spyware, including pcTattletale, which captured screenshots of the Booking.com administration portal. This highlights a growing trend: cybercriminals are increasingly targeting the travel industry to steal valuable customer data.

Booking.com has stated that it has taken action to contain the issue and is working to prevent future breaches. However, with over 6.8 billion bookings since 2010, the platform remains a prime target for attackers.

Final Thoughts: Stay Vigilant

The Booking.com data breach serves as a critical reminder for all travelers to remain vigilant. While the company has acted quickly to secure reservations, the stolen information could still be used in social engineering attacks. Always double-check communications from travel platforms, and never share sensitive information through unverified channels.

For more advice on staying safe online, read our article on travel security best practices.

FBI Takes Down Global Phishing Ring W3LL: What You Need to Know

In a significant blow to cybercrime, the FBI announced on Monday that it has dismantled a global phishing operation known as W3LL. This sophisticated scheme allegedly targeted more than 17,000 victims across the world, causing millions in potential fraud. The bureau collaborated with Indonesian police to execute the takedown, which included the arrest of the suspected developer and the seizure of critical domains.

How the W3LL Phishing Operation Worked

The W3LL operation was built around a phishing kit sold for $500 on underground forums. Cybercriminals used this kit to create fake login pages that mimicked legitimate services, such as email providers and financial platforms. These pages were designed to steal passwords and multi-factor authentication codes from unsuspecting users.

According to the FBI, the kit enabled criminals to attempt over $20 million in fraud. The operation also featured an online marketplace where stolen credentials and access to hacked systems were bought and sold. This marketplace facilitated the sale of more than 25,000 compromised accounts, making it a lucrative hub for cybercriminals.

International Collaboration Led to the Takedown

The FBI worked closely with Indonesia’s national police to bring down the W3LL infrastructure. The alleged developer, identified only as G.L., was detained as part of the operation. The bureau also seized key domains, effectively crippling the phishing network. This joint effort highlights the importance of cross-border cooperation in combating cybercrime.

Building on this success, the FBI has not yet released additional details about the investigation. However, the takedown sends a clear message to cybercriminals: law enforcement is increasingly capable of dismantling even sophisticated operations.

Impact on Victims and Cybersecurity

The W3LL phishing operation targeted a wide range of individuals and organizations. Victims likely included employees at companies, small business owners, and everyday internet users. The stolen credentials could have been used for identity theft, financial fraud, or further cyberattacks.

As a result, this case underscores the ongoing threat of phishing attacks. Cybercriminals are constantly refining their tactics, making it essential for users to remain vigilant. For example, always verify website URLs before entering login credentials, and enable multi-factor authentication where possible. Additionally, consider using a password manager to generate and store complex passwords.

Lessons for Businesses and Individuals

For businesses, this takedown serves as a reminder to invest in employee training and advanced security tools. Regular phishing simulations can help staff identify suspicious emails. Meanwhile, individuals should avoid clicking on links in unsolicited messages and report any suspected phishing attempts to authorities.

Furthermore, law enforcement agencies are urging victims of the W3LL operation to come forward. If you believe your credentials were compromised, change your passwords immediately and monitor your accounts for unusual activity. You can also file a complaint with the Internet Crime Complaint Center (IC3).

What This Means for the Future of Cybercrime

The dismantling of W3LL is a major victory for cybersecurity, but it is not the end of the story. Phishing remains one of the most common and dangerous cyber threats. In fact, similar operations are likely already being developed by other criminal groups.

However, the FBI’s success demonstrates that international law enforcement can adapt to these challenges. By targeting the infrastructure behind phishing kits and marketplaces, authorities can disrupt the cybercriminal ecosystem. This approach may deter some attackers and make it harder for others to operate.

Ultimately, the W3LL takedown is a reminder that cybersecurity is a shared responsibility. Governments, businesses, and individuals must work together to stay ahead of evolving threats. For more insights, check out our guide on how to prevent phishing attacks and cybersecurity best practices.

Iran-Backed Hackers Strike US Critical Infrastructure Through Internet-Connected OT Devices

Iranian-affiliated hackers have launched a series of attacks on US critical national infrastructure (CNI) providers, causing operational disruptions and significant financial losses, according to a recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA). The campaign, which began last month, specifically targets internet-facing operational technology (OT) assets, including programmable logic controllers (PLCs) from Rockwell Automation and Allen-Bradley.

This coordinated effort by an advanced persistent threat (APT) group has already affected government services, local municipalities, water and wastewater systems (WWS), and the energy sector. The attackers are manipulating project files and tampering with data displayed on human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) displays, as reported by CISA. These PLCs are critical for managing a wide range of industrial processes, making them prime targets for disruption.

How Iran Hackers Target US CNI via Internet-Facing OT Systems

The threat actors are exploiting internet-connected OT devices, bypassing traditional security perimeters. They use configuration software like Rockwell Automation’s Studio 5000 Logix Designer to establish ‘accepted connections’ to targeted PLCs. These connections often originate from overseas IP addresses and third-party hosted infrastructure, making detection challenging.

Inbound malicious traffic typically appears on ports such as 44818, 2222, 102, 22, and 502. Particularly concerning are attacks on port 22, where the hackers deploy Dropbear Secure Shell (SSH) software on victim endpoints to maintain remote access. This method allows them to persist within networks and continue their malicious activities undetected.

As a result, CISA has urged all US CNI providers to urgently review their systems for indicators of compromise (IOCs) and apply the recommended mitigations. The advisory emphasizes that the widespread use of these PLCs across critical infrastructure increases the risk of further targeting of other OT devices.

Immediate Actions for Critical Infrastructure Firms

In response to this escalating threat, CISA has outlined several critical steps for CNI operators. First, organizations should use secure gateways and firewalls to protect PLCs from direct internet exposure. This is a fundamental measure to reduce the attack surface for threat actors.

Additionally, firms must query available logs for the IOCs provided in the advisory and check for suspicious traffic on the associated ports, especially if it originates from overseas. For Rockwell Automation devices, placing the physical mode switch on the controller into the ‘run’ position can help prevent unauthorized modifications. If an organization has already been targeted, it should immediately contact the FBI, CISA, NSA, or other authoring agencies for guidance.

This campaign follows a similar attack in March, when the Handala group targeted US medtech firm Stryker, wiping tens of thousands of devices. It also echoes a 2023 operation by Iran’s Islamic Revolutionary Guard Corps (IRGC) that struck US water plants running PLCs from Israeli manufacturer Unitronics. These patterns highlight a persistent and evolving threat to critical infrastructure.

Expert Insights on the Attack Campaign

Security experts warn that this campaign did not emerge in a vacuum. Ross Filipek, CISO at Corsica Technologies, points out that years of high-profile infrastructure incidents have revealed two critical truths. First, many OT environments still have internet-reachable interfaces and remote access paths that were never intended to be permanent. Second, even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage.

Filipek adds, ‘Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance-level defacement into real operational interference.’ This sentiment underscores the urgency of proactive security measures.

Steve Povolny, VP of AI strategy and security research at Exabeam, emphasizes that CNI firms operating OT should assume increased reconnaissance, credential harvesting, and opportunistic attempts to exploit systems during the US campaign in Iran. He notes, ‘Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators.’

Povolny recommends prioritizing passive network monitoring for control protocols, enforcing strict segmentation between enterprise and control zones, validating remote access pathways, and ensuring that engineering workstations and vendor maintenance channels are tightly controlled and logged. He stresses that incident response plans must explicitly account for loss of control system integrity, not just loss of data confidentiality. However, he fears it may be too late for much of this to have short-term impact.

For more on protecting critical infrastructure, see our guide on OT security best practices and learn about building an industrial cybersecurity framework.

Strengthening Defenses Against Future Attacks

To mitigate the risk of similar attacks, CNI providers must adopt a multi-layered security approach. This includes implementing robust network segmentation, deploying intrusion detection systems, and conducting regular security audits. Employee training on phishing and social engineering is also crucial, as these attacks often serve as entry points for deeper intrusions.

Furthermore, organizations should collaborate with government agencies like CISA and the FBI to stay informed about emerging threats. Sharing threat intelligence within the industry can help build a collective defense against state-sponsored actors.

Ultimately, the recent campaign by Iran-backed threat actors serves as a stark reminder that internet-facing OT systems are vulnerable to exploitation. By taking immediate action and adopting long-term security strategies, US CNI providers can better protect their critical assets from future attacks.