Cybercriminals recently launched a phishing campaign targeting Booking.com customers whose information was illegally obtained, possibly by breaching certain partner hotels, according to multiple reports.

According to a June 3 report from The Sun, users have received WhatsApp and text messages warning them to change their passwords following a supposed security breach. By clicking on the accompanying malicious link, victims are unknowingly giving the adversaries access to their bookings.

Users are then reportedly sent an additional message demanding that they send an advance payment for their booked vacations to a bank account belonging to the cybercriminals. These messages look like the real deal because they include stolen personal information such as names, addresses, phone numbers, dates, booking prices, and reference numbers.

Booking.com reportedly told the Sun that the information was likely obtained by breaching certain hotels that it works with via a portal website separate from the travel company’s main systems.

“In this case, there has been no compromise on Booking.com systems,” a Booking.com spokesperson told the Independent. “A small number of properties have been targeted by phishing emails sent by cybercriminals and by clicking on those emails, the properties compromised their accounts. All potentially impacted guests have been notified and because we value our customers at Booking.com, we are supporting impacted guests to compensate for any losses incurred, and reclaim these from the property.”