Okay so this is crazy.
I like thousands of others have been receiving daily booking.com confirmation e-mails lately.
This is probably because of a leak they've hid instead of going public with, but that's not the worst part.
I looked up the issue and apparently thousands are getting these e-mails.
But hey, you still need to go through a link from your e-mail to set your new password right?
No!
Apparently their login mechanism lets everyone login as you as long as you click a huge "I verify this is me" button even if they are on the other side of earth, so one fumble with your phone and you grant some random person access to your account, and if these people send you 10 requests a day, yeah you get the point.
But i gets worse.
You can't even login with a password anymore, every time you press login you get the same login e-mail scammers are sending with no ability to discern who sent what.
But wait it gets much worse.
At first i almost deleted my account, but thought hey i'll just setup twofactor and assess the situation.
After enabling twofactor, and seeing a big green "Twofactor verified" badge i tried logging out again then clicked on "sign in" - i wrote my e-mail and to my horror the page displayed "We've sent you an email to let you login", i went to gmail - surely this e-mail would take me to a site that required twofactor authentication?
No twofactor! Not even a password or a querystring. Just the same e-mail scammers are sending 5 times a day and access to all of my information with absolutely no trace of any twofactor.
I urge everyone to either delete their booking.com accounts, e-mail them about this issue or contact some appropriate authority.
This was 20 days ago.