
Analysis of the April 2026 Booking.com Supply Chain Breach and ClickFix Tactics
CybersecurityDataBreachPhishingSupplyChainAttack
On April 13, 2026, Booking.com notified customers about unauthorized access to personally identifiable information (PII). Attackers compromised partner hotels using "ClickFix" tactics, deceiving staff into executing scripts that exfiltrated session cookies to bypass multi-factor authentication (MFA). The hijacked hotel sessions allowed threat actors to message guests via the official app, using real booking details to craft convincing phishing lures.