Have I Been Pwned has added BCD Travel - one of the world's largest corporate travel-management companies - to its breach corpus with 396,313 unique email addresses. BCD Travel arranges business travel for large enterprises and government clients worldwide, so the exposed dataset likely skews toward corporate and frequent-traveler accounts. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected travelers should anticipate travel-themed phishing - itinerary updates, booking confirmations, loyalty-program lures - and should rotate any reused passwords and enable MFA.
Booking.com has confirmed unauthorized access to its systems that exposed guest reservation data including names, email addresses, phone numbers, postal addresses, booking details, and any messages shared with accommodation providers. The company began emailing affected customers over the weekend but did not send alerts via the Booking.com app, creating confusion about whether the notification emails were legitimate. Booking.com says financial data was not accessed. The company has reset PIN numbers for affected reservations. The number of impacted users has not been disclosed, though Booking.com lists 6.8 billion bookings since 2010 across 30+ million properties. Reddit users are already reporting scam messages from people who appear to have real reservation details, suggesting attackers are using the stolen data for targeted phishing. The Register notes this follows a similar 2021 breach pattern where attackers compromised hotel staff logins to access the platform.