Major Data Breaches Hit Basic-Fit and Booking.com, Exposing Millions of User Records
Fitness giant Basic-Fit and global travel platform Booking.com have both fallen victim to significant security breaches, exposing the personal data of millions of users across Europe. The incidents, while occurring around the same time, are believed to be unrelated, though they collectively highlight the ongoing vulnerabilities facing large-scale consumer databases.
Basic-Fit has confirmed a massive data leak affecting approximately 1 million members across six countries: the Netherlands, Belgium, France, Spain, Luxembourg, and Germany. The breach is particularly acute in the Benelux region, with roughly 200,000 customers impacted in the Netherlands and between 150,000 and 200,000 affected members in Belgium. According to reports on the dual breaches, the stolen information includes highly sensitive data such as bank account details, names, physical addresses, email addresses, phone numbers, and dates of birth.
The company stated that the unauthorized access targeted the system used to register member visits to fitness clubs. Basic-Fit claims the attack was identified by its system monitoring and stopped “within minutes” of discovery. Despite the rapid response, hackers had already successfully downloaded data for roughly one-fifth of the company’s membership base. Basic-Fit has since notified the Dutch privacy regulator, the Autoriteit Persoonsgegevens (AP), adhering to the mandatory 72-hour reporting window. The fitness chain emphasized that passwords and identity documents were not compromised in the attack.
Simultaneously, Booking.com has issued a warning regarding a separate security incident. The travel platform noted that unauthorized third parties may have accessed certain booking data, including names, email addresses, physical addresses, and telephone numbers. In some instances, personal information that users shared directly with accommodations may have also been viewed. The company’s alert to customers underscores the risk of unauthorized access to sensitive traveler itineraries.
While there is currently no evidence that the leaked data from either company has been published online or actively misused, the scale of the breaches poses a significant risk of targeted fraud. As of April 13, 2026, Basic-Fit has notified affected members via email and advised them to remain hyper-vigilant regarding phishing attempts. The company explicitly warned users to never provide sensitive information, such as passwords, in response to unsolicited emails or phone calls.
These security failures underscore the critical importance of data minimization and robust encryption in an era of increasing cyber threats. For Booking.com, the exposure of customer names and addresses adds to a growing trend of high-profile data thefts targeting the travel and wellness sectors.
Further details regarding the identity of the attackers have not yet been released. Both companies are reportedly working with external security specialists to monitor the situation and prevent further unauthorized access. Users concerned about their data can refer to the official notices regarding the Booking.com leak for more information.
