Analysis of the April 2026 Booking.com Supply Chain Breach and ClickFix Tactics

The April 13th notification from Booking.com regarding customer PII access is a significant example of supply chain exploitation. Attackers targeted partner hotels using “ClickFix” tactics, tricking staff into running scripts that exfiltrate session cookies to bypass MFA. By hijacking these hotel sessions, threat actors can message guests through the official app. They weaponize real data like check-in dates and booking references to make phishing lures look authentic. This shift toward session hijacking suggests a need for wider adoption of Device Bound Session Credentials (DBSC) and stricter PowerShell policies like Constrained Language Mode to protect distributed partner networks. The full technical breakdown of the “stager” mechanics and the session hijacking flow can be found at the direct link below: https://infosecwriteups.com/booking-com-got-breached-your-reservation-was-the-weapon-fcf6c0ac334f submitted by /u/CNRC0 [link] [comments]Technical Information Security Content & DiscussionRead More