A security breach has left Hilton HHonors rewards members susceptible to stolen points and fraudulent credit card charges.
Hilton HHonors is at the center of a security crisis. According to reports and testaments from FlyerTalk readers, hackers are finding their way into HHonors member accounts, stealing points, and using registered credit cards to make unauthorized purchases of more points and hotel stays.
One of the worst incidents so far involved a Canadian man, Brendan Brothers. According to a report from Krebs on Security, a security and cybercrime news site run by former Washington Post staffer Brian Krebs, Brothers’ account was hacked in the last week of September. Brothers claims the hackers stole about 250,000 points and used his account to redeem hotel stays on the east coast. Brothers’ stored credit card was then allegedly used to purchase more rewards points.
To add insult to injury, many of the hacked points are being sold online at an extremely deep discount—30,000 to 39,000 points are going for $1.50, and 90,000 to 100,000 points cost only $4.50. The website selling the points is up-front about the purchase, noting that they are from cracked accounts. The site also says the points came from inactive accounts, which is untrue, as HHonors points disappear without yearly account activity.
Even after the October 8 integration of a CAPTCHA system on Hilton HHonors’ website, loyalty program members are still finding their points stolen. The source of the hack, as well as the method hackers are using to break into the accounts, is still unclear.
Hilton HHonors has yet to release any kind of public statement regarding this ongoing issue, but program members should consider logging in to their accounts and checking for discrepancies in the amount of earned rewards points. Members should also keep an eye on their bank accounts for fraudulent charges.