The company, which manages more than 28 million accommodation listings worldwide, connects travellers with hotels, apartments, and other properties across hundreds of countries, while also offering services such as flights, car rentals, and attractions, News.Az reports, citing ABC News.
In an email sent overnight to affected users, Booking.com stated that the information potentially accessed could include booking details, names, email addresses, physical addresses, phone numbers, and any additional information that customers may have shared directly with the property.
"The security of your personal information is our utmost priority. We'll continue to enhance and extend the robust security measures we have in place to secure your reservations with us."
The company said reservation PIN numbers had been changed "to keep your booking secure".
It also advised customers to take extra precautions, including installing antivirus software, to help protect against threats like phishing attempts — scams where criminals trick people into revealing personal or financial information by posing as trusted organisations.
In a statement, a Booking.com spokesperson said it could confirm that financial information was not accessed from its systems.
It is not known how many customers have been affected.
The news comes as the travel giant recently came under scrutiny following a sharp rise in complaints over lost money and trashed properties, and amid an already uncertain time in the tourism sector because of the Iran war.
Scams involving Booking.com customers have been on the rise recently, with Steve Atkin from Port Macquarie on the New South Wales mid-north coast one of many customers who have been targeted.
He said he was left confused and frustrated after receiving a call from someone impersonating a Booking.com staff member, which led to money being taken from his account and sent overseas.
He said the incident unfolded after booking accommodation in Bali in December. He raised concerns about the property, chose to leave for another hotel and requested a refund through Booking.com.
He said he was contacted over the phone a few days later by someone claiming to be a Booking.com customer service agent, responding to the refund request.
"He wanted my card details. I said if you're a genuine Booking.com agent, you should already have that on file," Mr Atkin said.
"I checked my bank account later and $100 had been deducted."
He said he later contacted Booking.com, which told him the individual involved had never worked for the company and was not authorised to act on its behalf.
"I didn't give him my credit card details, my booking was made through Booking.com, so I have no idea how he got my details, why he knew about my refund request, or how he got my money," he said.
Mr Atkin said he received a refund for both the fraudulent transaction and his accommodation two months later.
