Booking.com Breach Exposes Millions: Storm-1865 ClickFix Attack Hit 170 Hotel Partners

Storm-1865 is a Microsoft-tracked threat cluster that has systematically targeted the hospitality sector since at least December 2024. The group's core technique is impersonation of Booking.com internal communications — specifically, messages to hotel staff about guest complaints, review requests, or property listing issues requiring urgent action. These arrive with operational legitimacy: hotel front-desk staff receive Booking.com communications routinely, and complaint notifications trigger the guest-service instinct that attackers exploit.

The attack chain begins with a phishing email or message sent to hotel staff impersonating Booking.com's partner portal communications. The message directs the target to a page hosting a ClickFix payload — typically a fake Cloudflare verification challenge claiming the user must prove they are human before accessing the complaint details. Once the payload executes, Storm-1865's malware harvests the hotel staff's Booking.com portal credentials. Attackers then authenticate to the legitimate platform and query customer reservation records across all properties managed by that account.

Because the access uses valid credentials through Booking.com's own portal, the exfiltration generates no anomalous API behavior — it appears identical to normal hotel staff activity. This is the defining characteristic of supply-chain attacks through partner networks: the breach of the end customer's data occurs via a trusted, authenticated channel that bypasses the target platform's perimeter defences entirely. As documented in our earlier analysis of the [ShinyHunters Salesforce campaign](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million), cloud platform partners consistently represent the softest path to high-value customer databases.

ClickFix exploits human problem-solving instinct rather than technical vulnerabilities. Unlike traditional malicious attachments or exploit-loaded URLs, ClickFix presents users with what appears to be a legitimate technical problem requiring their direct intervention — a CAPTCHA to prove they are human, an error message explaining a browser plugin needs updating, or a verification prompt to access restricted content.

In Storm-1865's confirmed campaign, the ClickFix prompt is deployed through a page impersonating Cloudflare's Turnstile verification widget — a context hotel staff have been conditioned to accept as routine. The fake verification page instructs users to complete the check by pressing keyboard shortcuts. What the page does not disclose is that a hidden JavaScript clipboard event listener has already copied a malicious PowerShell command to the system clipboard via document.execCommand or the Clipboard API before the user begins interacting with the CAPTCHA.

This technique defeats standard phishing awareness training on two fronts: first, no malicious link is clicked and no attachment is opened, so the core trained behavioral signal is absent; second, the keyboard action sequence — Win+R, Ctrl+V, Enter — is presented as a legitimate security verification step, not a suspicious request. The deployed malware suite spans six confirmed families: XWorm and VenomRAT for persistent remote access, Lumma Stealer and AsyncRAT for credential extraction and surveillance, Danabot for banking data theft, and NetSupport RAT for legitimate-tool-abuse remote administration. The breadth of the toolkit suggests Storm-1865 monetizes compromised hotel systems across multiple revenue streams, not just the Booking.com portal data theft.

Booking.com has not disclosed the total number of customers affected. The platform's scale makes the potential exposure significant: Booking.com handles over 1.5 million room nights per day across 28 million listed accommodations in 220 countries and 220+ territories. Storm-1865's compromise of 170+ hotel partners across four global regions is a fraction of Booking.com's partner network — but even a small percentage of 500 million registered accounts represents a data set of material size.

The data profile exposed — names, email addresses, phone numbers, postal addresses, upcoming reservation check-in dates, property names, and direct communications with hotels — is classified in threat intelligence as high-context PII. Unlike credential dumps that require technical exploitation to weaponize, high-context PII can be immediately operationalized for social engineering. A threat actor with this data set can impersonate Booking.com support with exact reservation references, pose as the booked property requesting payment confirmation, time phishing messages to check-in dates for maximum urgency, and build spear-phishing campaigns against high-value targets by correlating travel patterns with corporate calendar access.

For organizations whose employees use Booking.com for business travel, the exposure extends beyond personal risk. Business travelers frequently use corporate email addresses for reservations — the same contact details that authenticate enterprise SaaS accounts, MFA enrollment, and IT helpdesk identity verification. Travel data in the hands of a threat actor with enterprise targeting intent becomes an attack surface against the employer, not only the individual.

Within days of Booking.com's breach notification reaching customers, Malwarebytes and multiple security outlets documented a surge in reservation hijack scams directly referencing stolen booking details. In these attacks, fraudsters contact breach victims via phone, WhatsApp, or email impersonating either Booking.com support or the booked hotel — using the exact reservation reference number, check-in date, and property name to establish false credibility.

The social engineering script follows a consistent pattern: the fraudster claims the target's booking has been flagged for a payment issue, that a room upgrade requires card verification, or that the property has implemented a new security deposit process. Urgency is reinforced by proximity to the actual check-in date — a traveler departing in three days is less likely to challenge a payment verification request than one whose trip is months away. Victims are directed to a spoofed payment page and prompted to re-enter payment card details that the attacker does not already have, since financial data was not exposed in the underlying breach.

This two-stage attack model — data breach enabling social engineering enabling payment fraud — is precisely why high-context PII commands premium pricing on dark web markets. The breach victim list from this campaign is not simply another credential dump; it is a curated lead list for targeted fraud, ranked by check-in date proximity and enriched with the contextual detail needed to run a convincing impersonation without any technical attack on the victim's systems.

Microsoft's threat intelligence on Storm-1865 confirms targeting across North America, Oceania, South and Southeast Asia, and Europe — matching Booking.com's core operating geographies. The group specifically targets individuals at hospitality organizations that work with Booking.com as a booking channel, with front-desk staff, reservations managers, and property operations coordinators as the primary social engineering targets.

The hospitality sector's security posture makes it a preferred target for supply-chain attacks of this type. Hotel properties — particularly independent and boutique properties rather than corporate chain infrastructure — often operate with limited IT security staffing, shared workstations in high-traffic environments, and minimal endpoint detection capability. Staff turnover is high, security awareness training is inconsistent, and the pace of guest-facing operations creates pressure to act quickly on communications that appear urgent and legitimate.

The Booking.com channel is particularly well-suited to Storm-1865's approach: hotel staff interact with Booking.com's partner portal daily, receive platform notifications routinely, and are accustomed to responding to guest complaints through the system. The credential theft pattern here mirrors the OAuth2 token exfiltration documented in our [malicious Chrome extensions investigation](/blog/malicious-chrome-extensions-oauth2-token-theft): in both cases, the attacker's goal is not to break authentication but to steal the authenticated session itself from the human who legitimately holds it.

For hotel operators and hospitality technology vendors, the primary defensive priority is determining whether any staff systems have been compromised. The ClickFix attack leaves a specific behavioral signature: a Windows Run dialog executing PowerShell from clipboard content is not a pattern that occurs in legitimate hotel operations. Any EDR with process command-line logging should surface this activity if it occurred.

For corporate travel managers and security teams, the defensive focus shifts to the post-breach social engineering risk: employees who have traveled recently or have upcoming bookings via Booking.com should be briefed on reservation hijack scam indicators before their next trip. A fraudulent call referencing a specific reservation number, check-in date, and hotel name is not a random phishing attempt — it is a targeted attack using data confirmed to be in circulation.

The Booking.com data breach confirms a structural vulnerability in the hospitality sector's security supply chain: Storm-1865 did not need a zero-day or a credential stuffing campaign against Booking.com itself. They needed 170 hotel partners with insufficient endpoint security and a workforce conditioned to act quickly on platform notifications. The reservation data is now on dark web markets — high-context travel PII priced for immediate social engineering use. If you have an upcoming Booking.com stay, treat any contact referencing your specific booking details as a potential attack. If you manage hotel operations on the platform, rotate credentials and check your access logs before your next guest checks in.