bkafrick

Hi - maybe this isnt new news, but thought I'd post it here anyway.

Last night, my hhonors account was depleted by someone who logged into my account, and changed my email address. And then went onto the HHonors Marketplace, and bought themselves some Samsung equipment, and set it to ship to Kuala Lumpur.

The HHonors website sent me an email when my email was changed (presumably they send it to both new and old email). When I saw the email this morning, I called the Diamond line and they worked with their marketplace provider to investigate it.

At first, they were skeptical about me (I had to answer their security questions several times). After about 10 minutes on hold, the Diamond agent came back and said their marketplace provider would stop the transaction, and refund me the points in 2-3 days.

Here's a screenshot of the order. Gotta love it.

Need

It is a crime! I mean those redemption rates! 462k+ points for a Galaxy Note 3 that is under $600?

bkafrick

I tried telling her that it was impossible it was me, because I would never buy Android junk and I'm an iOS guy... she laughed a bit.

dw

Hopefully this was an isolated case and they don't have the log-in credentials to a number of HHonors accounts.

Club Carlson suffered a similar breach not too long ago... apparently it was bad enough that for awhile, you couldn't change any profile information online (you had to call in to do that), and shortly after they required that everyone create new extra-strict passwords.

bkafrick

In case anyone was interested, HHonors did a great job at solving this.

Within 2 days, I was given a new HHonors Number, and PIN, and my current username and password were blacklisted. All my transactions, points, reservations, etc. were converted over to the new number. And of course the 635,000 points that were stolen were returned.

Life is good.

scubaccr

I use a password for my HH account but when I rang HH Desk, phone wants (from memory) you to enter random 2of4 of your PIN number .

This means nnnn number PIN exists even if you don't want it, so if someone spots you have 100k's HH points account can be cracked as only 10,000 combinations, and the stronger longer password is not needed by said hacker. I assume hacker spotted your high balance somehow as I don't think hacker wastes his time trying loads of random account numbers to find HH account with very high balances.

Nice to know HH email original email address for account changes like this.

In Summer 2012 IHG had several such frauds and handled very poorly, and fundementally IHG did not email the "old" changed email address so the theives got emailed 200$us untraceable gift vouchers galore. Worse IHG accused account owners as being at fault or trying to defraud IHG!

kilo

Yes the PIN number still works account even if you only use your password (Just like UA Mileage plus).

Wont the account lock you out after trying the PIN several times?

JBD

This is indeed extremely disconcerting that a company as large as Hilton has such atrocious security protocols.

What you uncovered was reported in the thread linked below (the 4 digit pin and your account number also still works online even after you create a stronger/longer password and custom user ID), but unfortunately even with the help of Anthony, nothing has yet to be rectified in terms of the safety of our online accounts:

http://www.flyertalk.com/forum/hilto...-security.html

HansGruber

IHG is the same way as well. Delta is too I believe.