Two-factor authentication is an extra layer of security used to further protect your account by making sure that the person trying to access to your account is actually you. First, you enter your username and password. Then, instead of immediately gaining access, you need to provide another piece of info. This additional credential check can come in a variety of ways.
As a Booking.com Partner, it comes in the form of a PIN (personal identification number) sent to your authenticated device. A good example of this is how debit cards work. The card alone isn't enough to access to your funds despite it being in your possession – a PIN is also required.
How can my account still get hacked?
Authentication works in several ways. First, your username is an indicator that you have an account on Booking.com. Once this is checked, your password is then checked to match the username you provided. Does it match? All good!
This is where 2FA comes in. You'll be sent an additional PIN to your already authenticated device as an additional layer of security, since you have very sensitive data (guest personal and payment details) on the Extranet.
Two-factor authentication is as secure as you let it be. If you share your username and password along with your 2FA PIN, this means anyone you provided these to will have access to your property and guest details.
I think my account was maliciously accessed. What do I do now?
If you think you might have inadvertently provided your login details & 2FA PIN to an unauthorized third party, you must notify Booking.com immediately – your contract with Booking.com requires you to report an actual or suspected account takeover within 24 hours.
Good to remember:
Booking.com will never ask for your username, password, or two-factor authentication (2FA) PIN for any reason.
If anybody—whether they claim to work for Booking.com or at the property—asks for your username, password, or 2FA PIN, hang up and contact us via https://partner.booking.com/help/legal-security/report-security-issue.
Share this info with your staff and encourage them to take the same precautions – scammers prefer to call at night when there isn't as much support staff.
If you’re unsure, always contact us via the link below before taking any action:
If you receive messages or phone calls asking you to make changes within your account (e.g. changing contact details, adding email addresses, confirming personal info, etc), always verify that the request is coming from a legitimate source. If it supposedly came from Booking.com, call our Customer Service team to verify it. If the caller claims to be an employee of your property, call the colleague and verify the request.
I think my account was taken over. What do I do now?
Follow these steps to secure your account:
Reset your Booking.com account password. You can do so by visiting admin.booking.com, then clicking "Forgot your password?"
Check all the info on the Extranet to see if anything was changed (contacts, rates, availability, content, etc.).
Report it! Since you have info that is considered personal (and therefore sensitive), please contact Booking.com immediately to let us know that your account may have been compromised. To help you and your guests as quickly as possible, your contract with Booking.com requires you to report an actual or suspected account takeover within 24 hours. You can do this by contacting our Security team via https://partner.booking.com/help/legal-security/report-security-issue.
Don’t forget to include any and all info that might be useful, such as who the caller/sender identified themselves as (original email with headers if via email), and what was discussed.