Basic-Fit’s hack yesterday It has not been the only relevant event in terms of cybersecurity in recent days. Last weekend several Booking users received emails with less than reassuring content. In these messages, the company reported that a cyber attacker could have had access to the information on its reservations. On Monday Booking confirmed that the security flaw existedbut has not given too many details about the problem.
Your name and reservations were leaked, your card details were not. The information accessed by the attacker(s) includes names, email addresses, phone numbers and booking details. However, Booking has highlighted that the users’ financial data have not been part of this unauthorized access and they have not accessed the users’ home addresses either. To try to mitigate possible problems, the company forced reset of backup PINs of all affected reserves, both active and past.
Too many unknowns. Although it has confirmed the incident, Booking has not provided clarification on it and it is not clear if its systems were hacked directly or the problem occurred through other means. There are also no details on the number of users affected nor is it a problem of real scope or limited to certain countries or regions. Booking has indicated that it will inform affected users individually without giving figures. According to its own website, Booking manages hundreds of millions of reservations a year and it is estimated which have about 135 million users of their mobile app.
Phishing attacks have already started. These types of data thefts are exploited for massive phishing attacks, and it appears that such attacks have already begun. At least one user indicated on Reddit that he had received a suspicious message on WhatsApp with details of his reservation and personal information. That seems to confirm that the attackers were already using the stolen data to deceive customers before the public announcement occurred.
But beware of “tracking” phishing. But in this case the risk is somewhat greater because this is the type of platform from which we are not so surprised to see messages that inform us of the follow-up of the reservation (with the style “There is one week left for your trip!”). Precisely these types of smishing messages can now be generated by attackers fraudulently leveraging the reservation data they have extracted to appear legitimate. If you are a Booking customer and have a pending reservation, be especially careful if you receive one of these follow-up messages.
It’s not the first time. In 2021, Dutch regulators fined Booking.com with 475,000 euros after a hack exposed the data of more than 4,000 customers, including credit card information in some cases. On that occasion, Booking notified the Dutch authorities of the cyberattack 22 days late, well above the 72-hour limit required by the GDPR, which caused the company to be fined. In June 2024, the platform itself warned that phishing attacks against its clients had increased by 900% thanks to the use of AI. The company has reported the security breach to Dutch authorities, but it remains to be seen if it again took too long and could face further fines.
What to do if you are a Booking user. Theoretically nothing if you have not received an email from Booking.com notifying you of the problem. If you receive it, it is important that you distrust any message, call or WhatsApp that mentions details of your reservation even if they seem legitimate. Attackers may have data about your reservations and may be using it to deceive you. You should not provide your financial data through any channel other than the platform’s official website or app. This data can be used for phishing attacks from other services that use your name or email, since this information is usually sold to be reused by other groups that carry out massive phishing attacks.
GIPHY App Key not set. Please check settings