Great catch! I always check whether company Y has the right details about me. If they don’t, I automatically delete and report it. If they do, I let my guard down. Even though it seems so obvious after reading your post, it never occurred to me that company Y might also be compromised to this level. Also, catching something this sneaky would require a lot more entropy than most people would be willing to expend. I wonder what the response from Booking will be for this long-term?