A recent spate of fraud involving travel rewards accounts appears to be tied to hackers exploiting the reuse of passwords across accounts.
In the wake of the latest security breach of Starwood Preferred Guest accounts, security experts are urging consumers to use unique username and password credentials for each and every online account. Journalist and Internet security expert Brain Krebs warns that the recent attacks at Starwood can be traced to account holders using the same credentials across multiple online accounts.
“The spike in fraud appears to be tied to a combination of password re-use and the release of a tool that automates the checking of account credentials at the website for the popular travel rewards program,” Krebs wrote on his blog, KrebsOnSecurity.com
Krebs reports that the Starwood fraud coincides with the release of a hacking tool that specifically targets Starwood accounts. The automated tool published on the hacker forum LeakFoums.com allows even low-level hackers to match passwords gleaned from other websites with Starwood rewards accounts. LeakForums.com also provides tips on how to disable security alerts designed to tip off account holders that fraudulent activity is occurring.
Starwood Vice President Chris Holdren told Krebs that the recent attacks against Starwood mirror similar attacks against rewards programs, including Hilton HHonors, American Airlines AAdvantage and United Airlines MileagePlus.
“They appear to be using credentials from elsewhere and seeing how many of those match up to Starwood accounts to see how many hits they can get,” said Holdren, adding that Starwood will work closely with members to restore affected accounts. “Not one guest is going to lose even a single Starwood point through this activity.”