Sounds like they're under active attack due to some poor initial practices & having a hard time getting in front of it.
I suggest changing your email with booking.com to something the attackers wouldn't know.
Using the Gmail option of extending your normal username with '+' something – eg use ACCOUNT+unguessable-string@gmail.com in place of ACCOUNT@gmail.com – might be enough. With luck (if the site hasn't been too dumb), then when they hit the site with your old/plain address, no email will be generated.
They just remove everything after the + sign then send you an email to your old address saying they updated your info. Then you can login again with the old address but now twofactor is apparently turned on. Very weird.
I suggest changing your email with booking.com to something the attackers wouldn't know.
Using the Gmail option of extending your normal username with '+' something – eg use ACCOUNT+unguessable-string@gmail.com in place of ACCOUNT@gmail.com – might be enough. With luck (if the site hasn't been too dumb), then when they hit the site with your old/plain address, no email will be generated.