The frenzy over Bad Bunny tickets in Madrid has been compounded by a new problem: your dream trip turning out to be a scam due to the latest cyberattack on Booking. In recent days, many users on social media have reported that they booked a hotel or apartment and now fear that, upon arriving in the capital, they will find that the room was already occupied or never existed.
In April, Booking acknowledged that it had suffered a cyberattack that allowed unauthorized third parties to access data linked to some customers’ reservations. The platform itself has admitted that the attackers were able to view names, email addresses, phone numbers, and reservation details (dates, accommodations, messages exchanged), although it insists that no financial data, such as credit card numbers, was leaked.
With that information in hand, cybercriminals have begun launching highly targeted phishing attacks: emails, messages, and WhatsApp messages that include real booking details and pose as the hotel or Booking to request extra payments, confirm alleged changes, or redirect the user to fake websites. The National Cybersecurity Institute (INCIBE) and the company itself warn that these fraud attempts may increase during periods of high demand.
Why this particularly affects those coming to see Bad Bunny
The Puerto Rican artist’s ten concerts at the Riyadh Air Metropolitano are expected to draw around half a million people between May 30 and June 15, with many arriving from outside Madrid and needing a hotel or apartment for one or more nights. This context is perfect for scammers: high demand for accommodations, reservations made well in advance, skyrocketing prices on key dates, and fans willing to look for last-minute “bargains” or accept changes without asking too many questions just so they don’t miss out on the trip.
Added to this is a fundamental problem that cybersecurity experts have been pointing out for years: Booking allows accommodations to join its network with controls that don’t always detect fake listings or hacked business accounts in time , which opens the door for apartments and hotels to be listed that don’t actually exist or are already booked by other guests. The result is the scenario many fear and some are already reporting: arriving in Madrid, showing your confirmation… and discovering that the accommodation is occupied, does not recognize your reservation, or isn’t even listed on the site because the account has been deactivated following the fraud.
How the scams are taking place
The patterns described by cybersecurity agencies and the victims themselves are recurring.
Some examples:
- Messages arriving via email, WhatsApp, or SMS mentioning your name, exact dates, and the booked hotel, warning of an urgent problem: “payment error,” “overbooking,” “need to verify your card for the Bad Bunny event,” etc.
- Links that appear to be from Booking or the accommodation provider, but which actually lead to fake forms where card details are requested again or a transfer is requested “to secure the reservation during high-demand periods.”
- Alleged “last-minute changes” offered by the accommodation itself, asking you to cancel and pay again outside the platform—a practice that opens the door to double charges or leaving you without a room and without money.
The problem is that, since the attackers have real booking data, their messages seem much more credible than generic phishing attempts. That’s why both Booking and experts emphasize a key point: the platform will never ask for your card details or request additional payments through external channels (email, WhatsApp, phone calls) other than its app or official website.
What INCIBE recommends
Both the platform and organizations such as INCIBE and law enforcement agencies have issued a series of clear guidelines.
Among them:
- Never share card details via email, phone, WhatsApp, or social media, even if the message includes actual details of your reservation.
- Always access your reservation by typing the Booking URL into your browseror using the app, not through links sent to you in messages.
- Verify any changes directly with the accommodation using official contact information (their website, verified phone number, etc.), and do not give in to pressure to pay “right away.”
- If you suspect you’ve entered your information on a fake website, contact your bank immediately to block your card and file a report with the police.
Booking, for its part, has forced a reset of the PINs for the affected reservations and claims to be strengthening its systems, though it has not specified how many Spanish users are involved.
