A recent spear-phishing campaign targeted a California hotel after its Booking.com credentials were stolen. The scam involved sending targeted messages within the Booking mobile app, claiming additional information was required for anti-fraud purposes. Booking.com confirmed a security incident affecting one of its partners, allowing unauthorized access to customer booking information. The company now requires two-factor authentication for partners, but it's unclear if this is enforced for all accounts. Cybercriminals are increasingly targeting Booking.com hospitality partners, with attacks rising 900% in 2024. The article also explores various cybercrime services aimed at phishers targeting hotels that use Booking.com, including the sale of compromised accounts and tools for automated login attempts.