Have you had your IHG Reward Points Hacked?
Jun 25, 2016, 1:13 am
#16
Original Poster
Join Date: Jun 2016
Programs: IHG
Posts: 21
Update; 25 June
After weeks of frustration at IHG Customer Relations not returning calls or emails, I received a telephone call from their legal department.
I do not wish to divulge the details of a private call but I did receive partial restitution of the stolen points. Where IHG and I disagree is on the hacking itself. I maintain my details, including email address, were discovered as a result of the hacker's intrusion into my IHG Rewards Club account; i.e. due to weak security at the site. IHG's contention is that my private email account was hacked and the details used to log in to my Rewards Club account. Hence the partial restitution.
It's difficult to prove conclusively either scenario--although not for want of trying on my part. A shock fact to emerge from the phone call was the revelation that I had been hacked for double the amount of points I had assumed. This is down to me and my failure to keep track of the points accumulation.
So, a partial resolution. And in fairness, IHG did all they could with the facts they had at their disposal.
The nagging issue which keeps me awake at night is how the cursed thief could have ordered eVouchers using my email address. In the absence of any better explanation I have no choice but to accept the hypothesis offered by Scubaccr (above). This in turn tends to support IHG's position. But I have checked with my ISP provider and there is no evidence to suggest my private email account has been hacked. However, as a precaution, I have changed the password and intend to move to a second tier authentication system as suggested by IHG's legal department.
So the mystery of exactly how the account was hacked is my very own Bermuda Triangle.
From now on I will monitor my Rewards Account much more closely.
After weeks of frustration at IHG Customer Relations not returning calls or emails, I received a telephone call from their legal department.
I do not wish to divulge the details of a private call but I did receive partial restitution of the stolen points. Where IHG and I disagree is on the hacking itself. I maintain my details, including email address, were discovered as a result of the hacker's intrusion into my IHG Rewards Club account; i.e. due to weak security at the site. IHG's contention is that my private email account was hacked and the details used to log in to my Rewards Club account. Hence the partial restitution.
It's difficult to prove conclusively either scenario--although not for want of trying on my part. A shock fact to emerge from the phone call was the revelation that I had been hacked for double the amount of points I had assumed. This is down to me and my failure to keep track of the points accumulation.
So, a partial resolution. And in fairness, IHG did all they could with the facts they had at their disposal.
The nagging issue which keeps me awake at night is how the cursed thief could have ordered eVouchers using my email address. In the absence of any better explanation I have no choice but to accept the hypothesis offered by Scubaccr (above). This in turn tends to support IHG's position. But I have checked with my ISP provider and there is no evidence to suggest my private email account has been hacked. However, as a precaution, I have changed the password and intend to move to a second tier authentication system as suggested by IHG's legal department.
So the mystery of exactly how the account was hacked is my very own Bermuda Triangle.
From now on I will monitor my Rewards Account much more closely.
Jun 25, 2016, 10:23 am
#17
Join Date: May 2004
Location: SIN (LEJ once a year)
Programs: SQ, LH, BA, IHG Diamond AMB, HH Gold, SLH Indulged, Accor Gold, Hyatt Discoverist
Posts: 7,732
Glad to hear you got at least some points back. Not ideal an outcome, but better than nothing.
The PIN with 4 digits is a joke and IHG is absolutely the last and worst of all major programs on that front. They should get hammered for that left, right and center. I also hate those welcome letters that have your points balance on them and I think a few times even the IHG number. A few times I had other peoples letter. I always tear this thing into small pieces and flush them.
My email ( Hotmail) has 2FA enabled and while a small nuisance at times, I got the code generating app on my phone and it works well. I recommend it.
The PIN with 4 digits is a joke and IHG is absolutely the last and worst of all major programs on that front. They should get hammered for that left, right and center. I also hate those welcome letters that have your points balance on them and I think a few times even the IHG number. A few times I had other peoples letter. I always tear this thing into small pieces and flush them.
My email ( Hotmail) has 2FA enabled and while a small nuisance at times, I got the code generating app on my phone and it works well. I recommend it.
Jun 26, 2016, 8:54 pm
#18
Original Poster
Join Date: Jun 2016
Programs: IHG
Posts: 21
I pressed the point about weak security and pointed out that a 4-digit pin was subject to brute force hacking. The response from the legal dept. was that their system is geared to reject multiple log-in attempts. But I'm unconvinced.
Oct 11, 2016, 8:35 am
#19
Join Date: Mar 2013
Programs: HHonors Diamond, IHG Plat, Club Carlson Gold, SPG Gold, Marriott Gold
Posts: 316
My IHG account was hacked yesterday; first time ever something like this has happened to me. The thief reset my PIN in the morning then twelve hours later booked a two-night stay in Germany for this weekend using my points. Good thing, I received a reservation confirmation email and I promptly cancelled the reservation 
I changed the email address associated with IHG account and the 4-digit PIN. I'm glad I didn't suffer major inconvenience/ loss (knock wood) but this whole experience is unnerving.
I changed the email address associated with IHG account and the 4-digit PIN. I'm glad I didn't suffer major inconvenience/ loss (knock wood) but this whole experience is unnerving.
May 25, 2017, 12:45 pm
#20
Join Date: May 2017
Programs: IHG
Posts: 1
My IHG Rewards Club account was hacked twice, in April of this year. The two hacks were a week apart. The stolen points were used to purchase eVouchers from the online shopping catalogue. I reported the hack/theft to IHG as soon as I became aware of the fact. However I was informed that IHG would not refund the stolen points as the transactions were 'legitimate'; in other words the hacker used my email address and home address to order the eVouchers.
I checked on the purchase details and found that the only difference was that the hacker used a different phone number than mine (and the one I have listed with IHG)But so far the points have not been refunded. What I find very confusing, and perhaps more knowledgeable members can help with, is how were the hackers able to receive the eVouchers using my email address? The vouchers certainly never came to me, but presumably they were received by the hacker. How?
I suspect that such hacks are frequent given the very poor authentication processemployed by IHG. Apparently any password system depending wholly on numbers (membershipand pin numbers) can be hacked by a script using brute force to apply thousands of combinations. Once the 9-digit membership number is cracked, the 4-digit pinfalls easily.
I would like two things to happen: 1) for IHG to add a password verification tier to membership accounts; and 2) notify members by email of any account activity. I have since joined Award Wallet to try and rectify the second issue.
I do hope I get back the missing points, but am not optimistic based on several phone calls to both IHG and the online store (Maritz).
Has any other IHG member been hacked recently?
I checked on the purchase details and found that the only difference was that the hacker used a different phone number than mine (and the one I have listed with IHG)But so far the points have not been refunded. What I find very confusing, and perhaps more knowledgeable members can help with, is how were the hackers able to receive the eVouchers using my email address? The vouchers certainly never came to me, but presumably they were received by the hacker. How?
I suspect that such hacks are frequent given the very poor authentication processemployed by IHG. Apparently any password system depending wholly on numbers (membershipand pin numbers) can be hacked by a script using brute force to apply thousands of combinations. Once the 9-digit membership number is cracked, the 4-digit pinfalls easily.
I would like two things to happen: 1) for IHG to add a password verification tier to membership accounts; and 2) notify members by email of any account activity. I have since joined Award Wallet to try and rectify the second issue.
I do hope I get back the missing points, but am not optimistic based on several phone calls to both IHG and the online store (Maritz).
Has any other IHG member been hacked recently?
Only to find that, this week I've been hacked again. Despite them creating a new account for me - and transferring my remaining points I've had another 26,000 points redeemed this week - but not by me!
The thing I don't get is that if gifts have been sent to an address, then surely that address would have to be the one listed on your account? Therefore easily cross-checked?