Honors Account Depleted by Hacker in Kuala Lumpur
#1
Original Poster
Join Date: Dec 2007
Location: SYR
Programs: US/AA-Platinum, Hilton-Diamond, Marriott-Gold, AVIS-Presidents Club, National-Executive Elite
Posts: 2,755
Honors Account Depleted by Hacker in Kuala Lumpur
Hi - maybe this isnt new news, but thought I'd post it here anyway.
Last night, my hhonors account was depleted by someone who logged into my account, and changed my email address. And then went onto the HHonors Marketplace, and bought themselves some Samsung equipment, and set it to ship to Kuala Lumpur.
The HHonors website sent me an email when my email was changed (presumably they send it to both new and old email). When I saw the email this morning, I called the Diamond line and they worked with their marketplace provider to investigate it.
At first, they were skeptical about me (I had to answer their security questions several times). After about 10 minutes on hold, the Diamond agent came back and said their marketplace provider would stop the transaction, and refund me the points in 2-3 days.
Here's a screenshot of the order. Gotta love it.
Last night, my hhonors account was depleted by someone who logged into my account, and changed my email address. And then went onto the HHonors Marketplace, and bought themselves some Samsung equipment, and set it to ship to Kuala Lumpur.
The HHonors website sent me an email when my email was changed (presumably they send it to both new and old email). When I saw the email this morning, I called the Diamond line and they worked with their marketplace provider to investigate it.
At first, they were skeptical about me (I had to answer their security questions several times). After about 10 minutes on hold, the Diamond agent came back and said their marketplace provider would stop the transaction, and refund me the points in 2-3 days.
Here's a screenshot of the order. Gotta love it.
#3
Original Poster
Join Date: Dec 2007
Location: SYR
Programs: US/AA-Platinum, Hilton-Diamond, Marriott-Gold, AVIS-Presidents Club, National-Executive Elite
Posts: 2,755
#4
Join Date: Jun 1999
Location: NYC/LA
Programs: DL Plat, AA Plat Pro, Marriott Titanium, IHG Diamond Amb
Posts: 7,479
Hopefully this was an isolated case and they don't have the log-in credentials to a number of HHonors accounts.
Club Carlson suffered a similar breach not too long ago... apparently it was bad enough that for awhile, you couldn't change any profile information online (you had to call in to do that), and shortly after they required that everyone create new extra-strict passwords.
Club Carlson suffered a similar breach not too long ago... apparently it was bad enough that for awhile, you couldn't change any profile information online (you had to call in to do that), and shortly after they required that everyone create new extra-strict passwords.
#5
Original Poster
Join Date: Dec 2007
Location: SYR
Programs: US/AA-Platinum, Hilton-Diamond, Marriott-Gold, AVIS-Presidents Club, National-Executive Elite
Posts: 2,755
[Follow-Up]
In case anyone was interested, HHonors did a great job at solving this.
Within 2 days, I was given a new HHonors Number, and PIN, and my current username and password were blacklisted. All my transactions, points, reservations, etc. were converted over to the new number. And of course the 635,000 points that were stolen were returned.
Life is good.
Within 2 days, I was given a new HHonors Number, and PIN, and my current username and password were blacklisted. All my transactions, points, reservations, etc. were converted over to the new number. And of course the 635,000 points that were stolen were returned.
Life is good.
#6
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
Hopefully this was an isolated case and they don't have the log-in credentials to a number of HHonors accounts.
Club Carlson suffered a similar breach not too long ago... apparently it was bad enough that for awhile, you couldn't change any profile information online (you had to call in to do that), and shortly after they required that everyone create new extra-strict passwords.
Club Carlson suffered a similar breach not too long ago... apparently it was bad enough that for awhile, you couldn't change any profile information online (you had to call in to do that), and shortly after they required that everyone create new extra-strict passwords.
This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker. I assume hacker spotted your high balance somehow as I don't think hacker wastes his time trying loads of random account numbers to find HH account with very high balances.
Nice to know HH email original email address for account changes like this.
In Summer 2012 IHG had several such frauds and handled very poorly, and fundementally IHG did not email the "old" changed email address so the theives got emailed 200$us untraceable gift vouchers galore. Worse IHG accused account owners as being at fault or trying to defraud IHG!
#7
Join Date: Nov 2002
Location: UK
Posts: 815
I use a password for my HH account but when I rang HH Desk, phone wants (from memory) you to enter random 2of4 of your PIN number .
This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker.
This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker.
Wont the account lock you out after trying the PIN several times?
#8
Join Date: Apr 2005
Posts: 522
I use a password for my HH account but when I rang HH Desk, phone wants (from memory) you to enter random 2of4 of your PIN number .
This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker. I assume hacker spotted your high balance somehow as I don't think hacker wastes his time trying loads of random account numbers to find HH account with very high balances...
This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker. I assume hacker spotted your high balance somehow as I don't think hacker wastes his time trying loads of random account numbers to find HH account with very high balances...
What you uncovered was reported in the thread linked below (the 4 digit pin and your account number also still works online even after you create a stronger/longer password and custom user ID), but unfortunately even with the help of Anthony, nothing has yet to be rectified in terms of the safety of our online accounts:
http://www.flyertalk.com/forum/hilto...-security.html