Consolidated "Hilton Honors Account Hacked" thread
#301
Moderator: Hilton Honors forums
Join Date: Dec 2002
Location: Marietta, Georgia, United States
Posts: 24,997
Canarsie, I believe your advice is spot-on, and I have no better alternatives to offer. On the other hand, I believe your advice would not work in all situations, due to disinterested or dysfunctional organizations. I also noted that I might, in a situation where a large number of points disappeared, panic and take some action, even if that action might turn out to be against my interest, and I would not be surprised if others might act similarly.
...and my initial thought is that if a company is so disinterested or dysfunctional to the point that it is more of a disadvantage than a benefit to me, I might perhaps reconsider conducting business with that company if I have other options available to me.
Fortunately — by my experience, anyway — Hilton is not one of those companies...
#302
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Canarsie, I believe your advice is spot-on, and I have no better alternatives to offer. On the other hand, I believe your advice would not work in all situations, due to disinterested or dysfunctional organizations. I also noted that I might, in a situation where a large number of points disappeared, panic and take some action, even if that action might turn out to be against my interest, and I would not be surprised if others might act similarly.
Yes, the sooner you report the issue the easier it would be to track down the culprit, but so far, all reports I've read have resulted in the points being returned. If you have a need to use those points soon, you may have problems getting them to advance what is expected to be returned, but worth asking.
#303
Join Date: Jul 2015
Posts: 7
My guess (hope) is that you got a disinterested agent. Some companies do hide their internal groups, like security, from the customer. This leaves us to deal with someone that has no say in what the other group does or when, and if they have no means to access them or put you in touch with them it's bad. If you were able to reach out to the agent working your case, I'd bet your experience would be much better.
Yes, the sooner you report the issue the easier it would be to track down the culprit, but so far, all reports I've read have resulted in the points being returned. If you have a need to use those points soon, you may have problems getting them to advance what is expected to be returned, but worth asking.
Yes, the sooner you report the issue the easier it would be to track down the culprit, but so far, all reports I've read have resulted in the points being returned. If you have a need to use those points soon, you may have problems getting them to advance what is expected to be returned, but worth asking.
Loyalty programs are membership benefits being adapted and built up more by many companies for their loyal customers and early adapters of these programs have large amounts of credit that is being targeted by cyber criminals. I hope to see more safeguards around these programs to protect the digital assets of their members.
#304
Join Date: May 2004
Location: formerly Gold now Diamond, formerly MSY, now LAX, formerly NW, now DL
Programs: Hyatt Plat, Hilton Gold, SPG Gold, Delta Diamond/1MM
Posts: 4,635
Account Hacked! 58k points transferred
So has anyone had their Hilton account broken into? I got a email saying that I had transferred 58k points to another account which I didn't. I've called to report it and a case was started (though I didn't get the follow up email yet for the affidavit). Any one know how long it takes to get your points back? I was looking to use them and now it's all gone (hopefully for now)!
#306
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
So has anyone had their Hilton account broken into? I got a email saying that I had transferred 58k points to another account which I didn't. I've called to report it and a case was started (though I didn't get the follow up email yet for the affidavit). Any one know how long it takes to get your points back? I was looking to use them and now it's all gone (hopefully for now)!
#310
Join Date: Dec 2016
Posts: 246
Information from more than a dozen people in Hilton Honors Customer Care, the Diamond Desk and Guest Assistance indicates that there has been a substantial uptick in theft of points over the past couple of weeks and that the fraud was in most cases carried out through points.com . Hilton seems to be following their usual procedure of looking into the cases and refunding the points within two weeks. However, no word at all from the company of the extent of the fraud.
Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.
#312
Join Date: Dec 2016
Posts: 246
1) The points.com route for the recent theft of points appears to be combined with or in addition to an exploit of the new points pooling function. Multiple target Honors accounts are set to share points with [what is probably] a perpetrator's account from which the points are then redeemed.
2) Hilton announced to their reps today that the tie up with Amazon that will allow Honors points to be used on Amazon is now delayed indefinitely. I think it no coincidence. It appears likely that the recent wave of thefts was a test run and that a much larger exploit would be unleashed once the stolen points could be used on Amazon.
#313
Join Date: Feb 2013
Programs: Hilton Diamond
Posts: 4,252
Two further updates from reps at Hilton:
1) The points.com route for the recent theft of points appears to be combined with or in addition to an exploit of the new points pooling function. Multiple target Honors accounts are set to share points with [what is probably] a perpetrator's account from which the points are then redeemed.
2) Hilton announced to their reps today that the tie up with Amazon that will allow Honors points to be used on Amazon is now delayed indefinitely. I think it no coincidence. It appears likely that the recent wave of thefts was a test run and that a much larger exploit would be unleashed once the stolen points could be used on Amazon.
1) The points.com route for the recent theft of points appears to be combined with or in addition to an exploit of the new points pooling function. Multiple target Honors accounts are set to share points with [what is probably] a perpetrator's account from which the points are then redeemed.
2) Hilton announced to their reps today that the tie up with Amazon that will allow Honors points to be used on Amazon is now delayed indefinitely. I think it no coincidence. It appears likely that the recent wave of thefts was a test run and that a much larger exploit would be unleashed once the stolen points could be used on Amazon.
#314
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Information from more than a dozen people in Hilton Honors Customer Care, the Diamond Desk and Guest Assistance indicates that there has been a substantial uptick in theft of points over the past couple of weeks and that the fraud was in most cases carried out through points.com . Hilton seems to be following their usual procedure of looking into the cases and refunding the points within two weeks. However, no word at all from the company of the extent of the fraud.
Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.
Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.
With many sites now using an email address as the account name, it's not far fetched to think the user will use their email password for access. This causes a cascading failure should they get hacked. Personally, I use separate addresses for each account even if it's not the username so I can see who's feeding my address to spammers.
#315
Join Date: Jul 2015
Programs: HH Diamond, HGVC, WN RR, National Exec, Avis Preferred
Posts: 1,055
Information from more than a dozen people in Hilton Honors Customer Care, the Diamond Desk and Guest Assistance indicates that there has been a substantial uptick in theft of points over the past couple of weeks and that the fraud was in most cases carried out through points.com . Hilton seems to be following their usual procedure of looking into the cases and refunding the points within two weeks. However, no word at all from the company of the extent of the fraud.
Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.
Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.