The day I discovered my Booking.com wallet had been hacked
First things first... why on hell did I have money on the Booking.com wallet? Well, because they messed up a reservation that I had made and gave me back the money that they owed me on the wallet. We are talking here about MY money, that I had already paid with my credit card, so there is no good reason for them to refund the amount on the wallet, just to begin with.
Anyway, at this point I was just upset, not worried, until I opened my Booking.com account to plan a vegan-friendly trip, only to find that the 50 Euro credit in my wallet had vanished. Instead, there was a reservation for a hotel in a city I’d never visited— booked by someone else, paid for with my money. Panic set in. How had a stranger accessed my account? Why was there no fraud alert? No reservation email either? Apparently they just send the confirmation to the email that you write in final details form, not to the email linked to the account.
What followed was a six-month ordeal to recover my funds—a journey that exposed glaring gaps in Booking.com’s security protocols and customer support. Here’s what happened, and what you need to know to protect yourself.
The Reddit rabbit Hole: “This happens all the time”
After filing a fraud report with Booking.com without any real commitment on their part to fix the issue, I turned to Reddit. What I found was chilling: dozens of users described unauthorized bookings draining their wallets, often linked to accounts with strong passwords and 2FA enabled. Multiple threads talked about an "inside job", and speculated that compromised Booking.com employee accounts or API vulnerabilities enabled the thefts. What is worst is that every single user reports little to no help at all from Booking.com customer service.
My battle plan to recover the funds
As soon as I discovered that my wallet was empty I tried to get some help from the company, but the only answer I got for months was that they escalated my case to some supervisor...
So I just kept phoning, writing email to the company, my local Police authorities, to the Dutch Data Protection Authority and most importantly to Booking.com chat on facebook.
After 3 months I finally got the money back on the wallet, secured again my account with 2 factor protection and guess what !?! AFTER 48 HOURS THE WALLET WAS EMPTY AGAIN, someone booked a flight with it.
I had to do it over again, other 3 months went by, they gave me back my money and now I have used all the wallet to make a reservation. I don't feel safe using this platform anymore, I am checking the reservation every day as I fear that someone could just cancel it and steal the money again...
I will keep you updated on what's going to happen
Please share your similar experience here!
I’m dealing with exactly the same situation right now, and honestly it’s beyond disturbing.
I’ve been using Booking.com for around 15 years and I’m a top-level Genius customer. Never had a single issue before. Everything worked perfectly — until the moment I received wallet credits.
That’s when all of this started.
My travel credits were stolen once, used for a booking in Indonesia (same pattern as everyone here). I had zero notifications — no login alert, no 2FA prompt, no booking confirmation, nothing. Complete silence.
After weeks of fighting with support, I finally got my €25 refunded to my wallet. And here’s the insane part — it was stolen again almost immediately.
I was monitoring my account like crazy after the first incident — checking it every 15–20 minutes, logging out of all devices, everything. Still didn’t help. Second breach happened anyway.
Both times: • Bookings linked to Indonesia • Account details changed (phone number, etc.) • No alerts, no emails, no security warnings
I have 2-factor authentication enabled, and clearly it does absolutely nothing in this case. So what exactly is the point of it?
Also interesting detail — this only happens with wallet credits. Think about that.
At this point, I honestly don’t believe this is just random external hacking. It looks like either a serious internal vulnerability or something worse.
And judging by how long this has been happening and how many people report the same pattern, it’s hard not to think that Booking.com is fully aware of it.
I agree with others here — the lack of real action or transparency makes it look like they’re just letting it happen.
I’ve decided I’m done with this platform. After June, I will not use Booking.com ever again. No booking is worth this level of stress, risk, and complete lack of security. Next time I even think about booking something there — I’ll immediately drop the idea.