I had to call HH the other day and the call was escalated to a supervisor at my request (it was a matter of an award stay, nothing to do with the hacking).

She asked my name and account number. Then she asked for my PIN. I said I'd rather not give that out what with all the recent data breaches at HH. She said she was just using it to confirm my identity. So she asked for my street address instead.

So fact, not rumor, she had access to my PIN.