This morning I received the following email:

I followed the instructions, only had to provide my account number and email address, after which a new PIN code was sent by email I could log on to my account using this PIN code. Somewhere in the process I also needed to type in my last name. After successful logon with the PIN code which was sent by email I was NOT forced to change it. That was just a recommendation in the original email. Of course I DID change it.

I don't know whether this email was just sent to me. Last week my account was blocked due to too many incorrect logon attempts (obviously not by me). This was resolved by the Ambassador help desk when I called them. After my call I could log on with my original PIN code again. I did not change it - whoever tried to logon was unsuccessful so why change the PIN code? I did not use anything as obvious like 0000, 1234 or 1111.

I am really wondering what is happening here. The Ambassador help desk agent did not seem surprised at all when I told her my account was locked. She mentioned they were having "some system issues".

Wel yes they definitely do. IHG has implemented an insecure access verification method, sends out PIN codes by email instead of a password reset link and likely keeps an unencrypted list of all account numbers and passwords somewhere on a server.

This is really worrying me. The value of the points in my account is higher than what I usually have in my bank account (well not according to IHG because their t&c's state that "points have no value") yet IHG is unable (unwilling?) to put reasonable protection methods in place.