Hackers are exploiting legitimate hotel reservations from over 350 properties worldwide to launch convincing spear-phishing campaigns. The targeted attacks use genuine booking details to bypass user skepticism.
Scammers have found a new angle for credential theft: your actual hotel reservations. By accessing customer data from more than 350 hotels globally, attackers are crafting highly personalized phishing messages that reference real bookings, making them far more likely to succeed.
How the scam works
The attacks typically arrive as emails mimicking hotel confirmation updates or account notifications. Because the messages reference genuine reservation details—booking dates, confirmation numbers, guest names—recipients are more inclined to click malicious links or provide sensitive information.
Once clicked, victims land on fake login pages designed to steal credentials. These can then be used to compromise email accounts, payment methods, and other linked services.
The scope
Security researchers have identified compromised data from hospitality chains across multiple continents. The breadth of affected properties suggests either a widespread vulnerability in hotel booking systems or data broker networks selling stolen reservation information to scammers.
What to watch for
Legitimate hotel communications typically:
- Come from official hotel domains or recognized booking platforms
- Don't request passwords via email
- Include verifiable contact information
If you receive unexpected hotel-related emails, verify independently by logging directly into your booking account or calling the hotel's main line—not numbers provided in the email.
Protection steps
Enable two-factor authentication on hotel loyalty accounts and email. Use unique, strong passwords for travel bookings. Consider using a password manager to avoid reusing credentials. Monitor bank and credit statements for unauthorized charges.
Hotels should review security protocols and notify affected guests of potential data exposure. Customers should remain vigilant: the more personal the phishing message, the more suspicious it warrants.
Federal authorities arrested a 21-year-old Florida man suspected of stealing over $220,000 in cryptocurrency through malware-infected Steam games. The scheme infected approximately 8,000 devices and compromised 80 crypto wallets between May 2024 and February 2026.
Ernst & Young is notifying customers of a data breach stemming from a compromised third-party support ticket system used by its IT personnel. The breach exposed customer information stored within the platform.
US Homeland Security Investigations seized over 30,000 mobile SIM cards across the country in an operation targeting infrastructure used for widespread telephone fraud.
Your smart fridge, washing machine, and dishwasher are collecting data about your habits and usage patterns. Here's what you need to know about what they track and how to find out.