My account has been hacked. The normal login (email with one time code) is not secured. There seems to be a back-door where a hacker can book (2 flights in my case) without logging in (my email is properly secured, with a hard password and 2FA. There is no trace of a one time code email) and use the payment means I had attached to my account (which I removed having seen this of course). When calling booking.com they try to push away their responsability, won't acknowledge this kind of fraud is possible, and the call center's operator mastery of french (my selected language) is poor at best.
