Booking.com Got Breached. Your Reservation Was the Weapon.

Booking.com disclosed a data breach on April 13, 2026, exposing customer PII through a supply chain attack targeting partner hotels rather than core systems. Threat actors likely used the ClickFix technique to trick hotel staff into running malicious PowerShell scripts that stole session cookies, bypassing passwords and MFA entirely. The stolen reservation data (guest names, check-in dates, booking references) was then weaponized for highly convincing phishing messages. Mitigations discussed include Device Bound Session Credentials (DBSC) to cryptographically bind sessions to hardware, and PowerShell Constrained Language Mode to block execution policy bypasses.