Consolidated "Hilton Honors Account Hacked" thread
#61
Join Date: Apr 2005
Posts: 522
Great job sqeakr! Thanks for making the sticky. ^
I for one have been hoping that the HHonorsRepresentative would comment on all the recent hacks. Erin posted the following in the http://www.flyertalk.com/forum/hilto...a-logging.html thread:
But she makes no mention as to why HH is implementing this extra security measure now.
I'll repeat my questions I posted above:
What other business, where customer loyalty is such a key to success, could have been notified in public in April of serious website security issues (as HH was according to posts in the beginning of this thread), then have encountered multiple data breaches, which were reported in a public forum where their company has a representative present, and then merely add a new security feature to their website, and make no further comment?
When Target was breached, for instance, apologies were issued, discounts were offered.
I'm glad to see that the FTers who were hacked are receiving their points back. But what about the inconveniences they suffered waiting for their accounts to be reopened, not to mention the aggravation and stress I'd imagine accompanied their ordeal. What about the fact that if points could be taken, then addresses, phone numbers, travel habits were also exposed.
I'd like to see HH acknowledge this breach publicly. And I'd like to see HH not just re-instate the stolen points, but offer proper compensation to those that were hacked.
And, of course, I'd like to see HH actually address their website vulnerabilities rather than use a CAPTCHA bandaid that was not designed for the purpose HH is using it for.
Hilton's not some mom and pop outfit afterall! Where's Hilton's Mea Culpa?
I for one have been hoping that the HHonorsRepresentative would comment on all the recent hacks. Erin posted the following in the http://www.flyertalk.com/forum/hilto...a-logging.html thread:
Hi there,
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.
Thanks,
Erin
I'll repeat my questions I posted above:
I'm re-asking these questions, because if in fact there's been no other reporting of this data breach, then currently HH has been able to come away pretty scot-free. And that just doesn't seem right.
What other business, where customer loyalty is such a key to success, could have been notified in public in April of serious website security issues (as HH was according to posts in the beginning of this thread), then have encountered multiple data breaches, which were reported in a public forum where their company has a representative present, and then merely add a new security feature to their website, and make no further comment?
When Target was breached, for instance, apologies were issued, discounts were offered.
I'm glad to see that the FTers who were hacked are receiving their points back. But what about the inconveniences they suffered waiting for their accounts to be reopened, not to mention the aggravation and stress I'd imagine accompanied their ordeal. What about the fact that if points could be taken, then addresses, phone numbers, travel habits were also exposed.
I'd like to see HH acknowledge this breach publicly. And I'd like to see HH not just re-instate the stolen points, but offer proper compensation to those that were hacked.
And, of course, I'd like to see HH actually address their website vulnerabilities rather than use a CAPTCHA bandaid that was not designed for the purpose HH is using it for.
Hilton's not some mom and pop outfit afterall! Where's Hilton's Mea Culpa?
#62
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
Completely Agee.. In another post I outlined 3 hacks in the last 10 days and lost 258,000 points.
They say they'll put them back in but I'll believe it when I see it. I have to open a new email account , new username , new passwords, new pins etc and I have spent $150 calling the Diamond Desk from Thailand as well as wasting valuable hours.
I have the same email on 50 different businesses , banks, airlines etc and never a problem.
And Hilton would like to sweep it under the rug. They have a bunch of incompetents in the IT dept and the Billion $ company has their head in the sand.
Hello Marriott
They say they'll put them back in but I'll believe it when I see it. I have to open a new email account , new username , new passwords, new pins etc and I have spent $150 calling the Diamond Desk from Thailand as well as wasting valuable hours.
I have the same email on 50 different businesses , banks, airlines etc and never a problem.
And Hilton would like to sweep it under the rug. They have a bunch of incompetents in the IT dept and the Billion $ company has their head in the sand.
Hello Marriott
#64
Join Date: Oct 2008
Location: Ramstein, Germany
Posts: 60
When mine was hacked, they deleted my primary email but forgot to delete my secondary email I had listed on my account. So I got an email stating that my primary address was deleted and it had the email of the user that hacked my account CC'd.
#65
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
They instantly re hacked my account. Called again from Thailand finally got someone with a brain after 4 overseas calls and I don't know how many hours.
Changed my # while I was on the phone , merged the information and I set up all new passwords, pins, usernames etc.
Hopefully that will work but I have no faith in Hilton and anyone out there if you are smart . Protect yourself because all your information including credit cards are available to these Hackers.
And Hilton is doing nothing!!!
Changed my # while I was on the phone , merged the information and I set up all new passwords, pins, usernames etc.
Hopefully that will work but I have no faith in Hilton and anyone out there if you are smart . Protect yourself because all your information including credit cards are available to these Hackers.
And Hilton is doing nothing!!!
#67
Join Date: Nov 2013
Programs: HH Diamond, IHG Spire, Marriott Gold, AA Plat. Pro
Posts: 400
Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.
#69
Join Date: Jun 2013
Location: STL
Programs: Southwest A+/CP, Hilton Diamond, National Executive Elite
Posts: 170
Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.
#70
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'
if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts
if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)
AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.
#71
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
That doesn't work at all: they get 1,000,000 account numbers, and try each one with one PIN. On average, they'll crack about 100 of them, without trying any account twice.
#72
Join Date: Aug 2012
Location: New York
Posts: 158
With 4digit numeric pins, solution is easy enough.... HH can simply stop brute strength attacks by implementing an increasing interval after nn failed password attempts.
eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'
if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts
if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)
AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.
eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'
if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts
if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)
AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.
#73
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
HH system would be controlling the 30min/120min password entry lock this methedology is widely used elswhere when using simply 4x numeric passwords (and sometimes even password entry) , not some cookies on the members browser.
The other post saying hackers will try 1,000.000 accounts with same password presupposes a list of 1million good account numbers, a randomly created list of a million accounts will not be possible
Also 4numeric passwords are not randomly disributed, users need values easier to remember, often dates (not necessarily birthdays/anniversary dayes though) so nnnn is often aa + bb where aa=1-12/1-31 and bb=1-12/1-31 and in effect less than 20% of possible number pin combos account for 80% of actual pin numbers.
#74
Join Date: Dec 2013
Programs: NZ Airpoints GE, Qantas Platinum, Accor Diamond, Hilton Diamond
Posts: 968
Sign-in is pretty useless these last three days for me.
Enter my password (number) and Captcha words (they seem to have stopped number pictures) and upon signing in I get the session expired page. Start again and same outcome. I have made six personal reservations despite this carry-on and am trying to give them a seventh business travel booking.
As I live in New Zealand my most active time on the Hilton website usually tends to be when they assume most are asleep, so I often bump into site maintenance signs, too.
Enter my password (number) and Captcha words (they seem to have stopped number pictures) and upon signing in I get the session expired page. Start again and same outcome. I have made six personal reservations despite this carry-on and am trying to give them a seventh business travel booking.
As I live in New Zealand my most active time on the Hilton website usually tends to be when they assume most are asleep, so I often bump into site maintenance signs, too.
#75
Join Date: Oct 2014
Posts: 2
Hi, everyone.
I made an account on this forum to make you all aware of a blackhat forum where the selling of your cracked Hilton HHonors accounts are bought and sold.
I am a member of said forum, but I think that it is wrong that they are doing this to you all.
The website is http://leakforums.org or http://leak.sx. They're both the same website. Now, you'll have to create an account on the forum and then visit this forum thread http://leakforums.org/thread-367084. You can't see it without first making an account.
The thread looks like this
Post: #1(This post was last modified: 10-27-2014 12:58 AM by Imperfectluck.) The Cheapest HHonor Hilton Bulk Available FAST and ONLINE
Currently Stocked on HHonorHilton accounts!
You can view what you can get with how many points by looking here, Points Catalogue. Remember these are cracked accounts thats why they are cheap, most them have been inactive and all are checked and I know exactly how much is in which. View things you could buy is say with 30k point account you can get a $50 Giftcard etc, for those who all don't know about HHonor Hilton. I'm pretty active so expect fast accounts, all are checked and I know how much are in which.
Payments BTC/PP only
30k-39k - $1.50 cents.
40k-49k - $2
50k-59k - $2.50
60k-69k - $3
70k-79k - $3.50
80k-89k - $4
90k-100k - $4.50
Please Post here then send me a PM. prices could vary.
T.O.S
1. I'am not responsible for what you choose to do with the accounts after purchase.
2. If account does not work moment after purchase a refund will be issued or replace with a new account.
The name of this seller is Imperfectluck.
Maybe presentation of some of this stuff to Hilton will make them a bit more motivated to fix things.
I made an account on this forum to make you all aware of a blackhat forum where the selling of your cracked Hilton HHonors accounts are bought and sold.
I am a member of said forum, but I think that it is wrong that they are doing this to you all.
The website is http://leakforums.org or http://leak.sx. They're both the same website. Now, you'll have to create an account on the forum and then visit this forum thread http://leakforums.org/thread-367084. You can't see it without first making an account.
The thread looks like this
Post: #1(This post was last modified: 10-27-2014 12:58 AM by Imperfectluck.) The Cheapest HHonor Hilton Bulk Available FAST and ONLINE
Currently Stocked on HHonorHilton accounts!
You can view what you can get with how many points by looking here, Points Catalogue. Remember these are cracked accounts thats why they are cheap, most them have been inactive and all are checked and I know exactly how much is in which. View things you could buy is say with 30k point account you can get a $50 Giftcard etc, for those who all don't know about HHonor Hilton. I'm pretty active so expect fast accounts, all are checked and I know how much are in which.
Payments BTC/PP only
30k-39k - $1.50 cents.
40k-49k - $2
50k-59k - $2.50
60k-69k - $3
70k-79k - $3.50
80k-89k - $4
90k-100k - $4.50
Please Post here then send me a PM. prices could vary.
T.O.S
1. I'am not responsible for what you choose to do with the accounts after purchase.
2. If account does not work moment after purchase a refund will be issued or replace with a new account.
Maybe presentation of some of this stuff to Hilton will make them a bit more motivated to fix things.