|
Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here. The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward. EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO). |
Originally Posted by IMH
(Post 24551877)
Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here. The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward. EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO). http://loyaltylobby.com/2015/03/23/h...e-yours-again/ Time to change your PW again. |
Originally Posted by mnredfox
(Post 24553439)
Posted on Loyalty Lobby too. Nice job Hilton.
http://loyaltylobby.com/2015/03/23/h...e-yours-again/ Time to change your PW again. |
Hilton: When are you going to disable access via the 4 digit pin?
Originally Posted by anative
(Post 22722174)
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login. This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries. SCARY. An email to Hilton's Privacy Department ([email protected]) has gone unanswered. And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Originally Posted by JBD
(Post 24659386)
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Originally Posted by JBD
(Post 24659386)
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Login with PIN has finally been disabled
Woohoo.
Just now saw that I couldn't log in with my PIN. And there was no CAPTCHA. And after logging in with my password I saw this on my Account Summary page: HILTON HHONORS ACCOUNT PASSWORDS As of April 29, 2015, all members will be required to update their PIN, or current password, to a new & secure password. Update your password now by visiting the Personal Information section of your account profile. If you have already updated your password on or after March 10, 2015, no further action is required. |
Don't everyone woohoo to much. The pin still lives in their system they just removed it from the website. I just used it to login to the Conrad app. The app wouldn't let me login with username/account number and password. I did the account number and pin and it let me right in. Needs to be brought to Hilton's attention.
|
I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?
|
Originally Posted by MasterGeek
(Post 24789558)
I am now getting fraudulent calls from telemarketers/scammers due to this data breach.
|
Originally Posted by MasterGeek
(Post 24789558)
I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?
|
Originally Posted by sethb
(Post 24799559)
I don't believe you are. How do you know the telescammers got data from Hilton, anyway?
|
Originally Posted by MasterGeek
(Post 24802496)
They offer a "free Hilton" night because they know I am a HHonors memeber since they got my data from there. And the timing is just a few weeks after the HHonors data breach
|
Originally Posted by sethb
(Post 24803636)
Maybe. I've been offered free Hilton nights on telescams that went to a phone number that isn't in my Hilton profile.
Just like with email scams, the more people they hit the higher the odds of getting someone to bite. Data mining for specific numbers/email addresses allow them to target specific audiences. They are getting better with their presentations and I can see many people falling prey. I especially like the emails from the Director of the FBI approving my dealings with the Bank of Nigeria! |
Article here mentions Hilton accounts being sold for just 15 USD.
http://www.dailymail.co.uk/news/arti...er-s-List.html |
| All times are GMT -6. The time now is 4:21 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.