This seems a quite significant breach,

I have changed my PIN just to be sure but thought it was better to switch to a username/password login which is less logical compared to using an account number can can be found easily.

Now I have a username and password I still see that I can login with my account number and (changed) pin that means now there are two ways into my account..

Not a great security protocol.

Globalist

That "protocol" was first noticed in one of the two threads I linked above (in post #5), titled "Hilton Honors Website Security".

And note that the thread (currently) ends with this post made on July 9, 2014 by the HHonorsRepresentative:

Yep, mine account was hacked on 9/30/14. The hackers took 466,860 points by ordering 2 Sony products. I emailed Hilton on 10/01 and also called. Within 24 hours, the points were returned and a new HHonors account number and password were issued. I think Hilton has a major security issue on their hands, although they gave me suggestions on how to protect my account. I don't use wifi or laptop/Ipad and only have one computer that is secured with Norton.

Based on all of these issues. I just changed my password and PIN last night. However, I'm wondering if their site isn't falling victim to the BASH Shellshock bug or another BASH vulnerability that was recently detected. Based on the fact that their web forms don't typically work all that well, I'd find it hard to believe they have all their ducks in a row on the security side as well. I would assume this vulnerability could be used to snag account numbers. From there it may just be a matter of brute force trying PIN numbers. However, I'm not a security guy...I'm a storage guy so that's a guess from me.

Moral of the story is change your PIN and password based on what's going on.

New account
 

I received an email with a new account number and my points were returned--it's clearly going to require vigilance.

Haven't posted on here for a while.... but there is obviously a major hack going on judging by the number of folks on here just hacked...and add me to that list - this morning I had over 250000 points, I then got an email from the Hilton Hhonors Shopping Mall thanking me for my purchase....I checked my account and I only had 1000 points left.....someone had changed all the address and email preferences...but for good measure they must have noted my email address and are now spamming it.....

Michelle at the Diamond Desk was very sympathetic and helpful though!

Be vigilant folks!

Sorry this won't save you. Yes you can choose an account name and password , which is what I did durng my HH signup some years ago.

However on my first call to HH desk, i was asked by phone system before being put through for account number and 2 random first/second/third/fourth digits of my pin number, to screen and confirm ones userid so that when you reach live person you are already validated.

The HH person I queried when put through said , i still have a PIN number and they caused it to be emailed, which i immediately reset and deliberately forgot.

So any hacker can try any number of 'madeup' account numbers of right length and pin passwords of 0000-9999 as an easy bruteforce hack. ACCT/ PIN combo is still associated even if you used name/password from signup day instead.

Obviously hacker is only interested in high value accounts pointswise for redeeming the points. On IHG Summer2012 it was to untraceable amazon e-vouchers to the accounts changed email address (IHG did not notify original email address of such email address changes)


I think it is crazy that elite programs expect us to remember some long 8-12-16 digit member number, where ever possible I use a name instead (so much easier to remember), and also a password if allowed (versus a pin). Some of my programs now belatedly allow the name-type extra signon such as KLM for me .. although as both me/girlfriend registered on same email address we can't make use of the KLM change.

Ouch!!
 

Well add us to the growing list! 550,000 points....Ouch!! Good thing we booked a Hawaii trip with 350,000 points or they would have taken those. Account is now frozen...and being told to be patient while they work things out. Good to hear people are getting their points back! Right? Would love to hear if anyone has any suggestions..as to what worked for them to get their points back. Not only is the Pin system archaic but I think emailing your actual password or pin when requested is old too. Seems like most sites ask you to answer secret questions or ask you to change your password in order to give you access...so Hilton if you're reading this...time to update! My husband travels "a lot". He loves being a diamond member and likes staying at Hilton hotels. Ok I'm done ranting;) Good to have a place to vent...thanks.

Seems like something is happening re security :
When I just logged in now with password and pin code, I was also asked to type in the numbers shown on a picture.

It's a small step, but we really need to be able to select a more robust password overall. Most of my banking passwords, etc., are over 10 digits.

Many websites let you set-up a 2-step verification system: if you are not using a "known" computer to login, you must enter a 2nd code--sent to your cellphone as a text message (or home phone, as a voice mail message); this is inconvenient, but helpful in defeating hackers.

add one to the victims list... just had a few hundred thousand points drained to purchase some british gift cards.. :(

working with CS to open a fraud case now..

Looks like the locked in CC problem still exists, as I'm currently in contact with the HHonors rep on FT who's also working on getting my CC removed from the Hilton website. So the problem still exists and the "delete" button still doesn't work, at least for me. And I tried different end dates, tried to switch the CC number, still the original number and dates come up. So it's not a new problem, and should have been resolved by Hilton many months ago.

bj-21.

Exactly!

The issues in this thread were brought to Hilton's attention several months ago. The HHonorsRepresentative supposedly was "on it".

But now we've had not an insignificant number of people reporting they've had their accounts hacked and points stolen (which as noted up thread was always my primary concern with the sorry state of security on Hilton's website), as reported here:

http://www.flyertalk.com/forum/hilto...r-changed.html

I keep linking all these threads in the hope that the main issue, Hilton's website not safeguarding our accounts, would receive more attention so that Hilton would be more pressured to get this fixed - now.

And question to the community: has anyone seen these reports of hacked accounts on any of the other boards or blogs? Any report of this in any hotel trade papers?

If not, why? Data breaches usually get a lot of coverage.

Can we at least make a sticky with these threads?

This matter is not trivial.

HHonors Account Hacked!
 

I just received several emails from HHonors where someone has hacked into my account, changed ALL of my information to an address in Poland, my PIN number, my email address, password, etc. They also spent over 195,000 of my points on a Beats by Dr. Dre headset. I called HHonors and they said I'm not the only one with this problem, several others have called in. GO INTO YOUR ACCT NOW AND CHANGE YOUR INFORMATION!!

Hope no one else has been hacked!

There is another thread on this.

http://www.flyertalk.com/forum/hilto...r-changed.html

You are the first to report this since they added captcha but I have a feeling they got your data before that.

Curious, if they changed your email address how did Hilton send you an email informing you? I would think the account would send any mail to the newly listed email.

Do they email the old address, once it is changed to new email address, stating that the account's email address has been updated and to please contact them asap if it was not done by the account holder?

When you make any changes to your Hilton account I believe you get an email t verify you made the changes.


When I log into Hilton now see word challenge so they are addressing the problem

As soon as I was aware of the 'hack' I called the Diamond Desk..it took some time with the involvement of their fraud team, but they took a new email address from me...my account was then locked for about 10 days which caused some pain, but after that I received a new account number, and my points were restored....

Great job sqeakr! Thanks for making the sticky. ^



I for one have been hoping that the HHonorsRepresentative would comment on all the recent hacks. Erin posted the following in the http://www.flyertalk.com/forum/hilto...a-logging.html thread:
But she makes no mention as to why HH is implementing this extra security measure now.

I'll repeat my questions I posted above:
I'm re-asking these questions, because if in fact there's been no other reporting of this data breach, then currently HH has been able to come away pretty scot-free. And that just doesn't seem right.

What other business, where customer loyalty is such a key to success, could have been notified in public in April of serious website security issues (as HH was according to posts in the beginning of this thread), then have encountered multiple data breaches, which were reported in a public forum where their company has a representative present, and then merely add a new security feature to their website, and make no further comment?

When Target was breached, for instance, apologies were issued, discounts were offered.

I'm glad to see that the FTers who were hacked are receiving their points back. But what about the inconveniences they suffered waiting for their accounts to be reopened, not to mention the aggravation and stress I'd imagine accompanied their ordeal. What about the fact that if points could be taken, then addresses, phone numbers, travel habits were also exposed.

I'd like to see HH acknowledge this breach publicly. And I'd like to see HH not just re-instate the stolen points, but offer proper compensation to those that were hacked.

And, of course, I'd like to see HH actually address their website vulnerabilities rather than use a CAPTCHA bandaid that was not designed for the purpose HH is using it for.

Hilton's not some mom and pop outfit afterall! Where's Hilton's Mea Culpa?

Completely Agee.. In another post I outlined 3 hacks in the last 10 days and lost 258,000 points.

They say they'll put them back in but I'll believe it when I see it. I have to open a new email account , new username , new passwords, new pins etc and I have spent $150 calling the Diamond Desk from Thailand as well as wasting valuable hours.

I have the same email on 50 different businesses , banks, airlines etc and never a problem.

And Hilton would like to sweep it under the rug. They have a bunch of incompetents in the IT dept and the Billion $ company has their head in the sand.

Hello Marriott

By the way after changing all those things mentioned, I got no response from Hilton either at old or new email address.

So beware!!!

When mine was hacked, they deleted my primary email but forgot to delete my secondary email I had listed on my account. So I got an email stating that my primary address was deleted and it had the email of the user that hacked my account CC'd.

They instantly re hacked my account. Called again from Thailand finally got someone with a brain after 4 overseas calls and I don't know how many hours.

Changed my # while I was on the phone , merged the information and I set up all new passwords, pins, usernames etc.

Hopefully that will work but I have no faith in Hilton and anyone out there if you are smart . Protect yourself because all your information including credit cards are available to these Hackers.

And Hilton is doing nothing!!!

Website down again today - captcha now involves words instead of just a few numbers. This is getting out of hand...

Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.

How much easier can it be. They hacked me 3 times after they supposedly fixed it.

No, I would prefer they implement a strong password policy instead of a 4 number pin that is figured out in short matter of time.

With 4digit numeric pins, solution is easy enough.... HH can simply stop brute strength attacks by implementing an increasing interval after nn failed password attempts.

eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'

if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts

if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)

AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.

That doesn't work at all: they get 1,000,000 account numbers, and try each one with one PIN. On average, they'll crack about 100 of them, without trying any account twice.

I think they typically use proxies to change their IP address. It's not easy to enforce.

The issue of which IP hackers use is not relevant.

HH system would be controlling the 30min/120min password entry lock this methedology is widely used elswhere when using simply 4x numeric passwords (and sometimes even password entry) , not some cookies on the members browser.

The other post saying hackers will try 1,000.000 accounts with same password presupposes a list of 1million good account numbers, a randomly created list of a million accounts will not be possible

Also 4numeric passwords are not randomly disributed, users need values easier to remember, often dates (not necessarily birthdays/anniversary dayes though) so nnnn is often aa + bb where aa=1-12/1-31 and bb=1-12/1-31 and in effect less than 20% of possible number pin combos account for 80% of actual pin numbers.

Sign-in is pretty useless these last three days for me.
Enter my password (number) and Captcha words (they seem to have stopped number pictures) and upon signing in I get the session expired page. Start again and same outcome. I have made six personal reservations despite this carry-on and am trying to give them a seventh business travel booking.
As I live in New Zealand my most active time on the Hilton website usually tends to be when they assume most are asleep, so I often bump into site maintenance signs, too.

Hi, everyone.

I made an account on this forum to make you all aware of a blackhat forum where the selling of your cracked Hilton HHonors accounts are bought and sold.

I am a member of said forum, but I think that it is wrong that they are doing this to you all.

The website is http://leakforums.org or http://leak.sx. They're both the same website. Now, you'll have to create an account on the forum and then visit this forum thread http://leakforums.org/thread-367084. You can't see it without first making an account.

The thread looks like this
The name of this seller is Imperfectluck.

Maybe presentation of some of this stuff to Hilton will make them a bit more motivated to fix things.

Be carreful : Hackers Selling Compromised Hilton HHonors Accounts Online
 

As seen on Loyalitylobby :

http://loyaltylobby.com/2014/10/30/h...counts-online/

-> change your password asap !

The blogger you quote got the story from the post immediately above yours (and acknowledged that he had done so).

Changing passwords won't deactivate the PINs that -- as far as I can tell -- are a means to access all HHonors accounts regardless of any settings users change.

[QUOTE=IMH;23769720]The blogger you quote got the story from the post immediately above yours (and acknowledged that he had done so).



Changing passwords won't deactivate the PINs that -- as far as I can tell -- are a means to access all HHonors accounts regardless of any settings users change.[/QUOTE I've switch over too Marriot never hadp roblem and the hotel staff in each locion is amazing! People need to change there passwords and emails.

I've manage found these.

http://i.imgur.com/BoZ7QHX.png?1

Here is even one person who has 11 Thousand of are accounts!

http://i.imgur.com/Jn7eQD7.png?1

Link in his/her thread, http://gyazo.com/a34601f2c938fe4987f2b071fe29577d

Just woke up but cannot tell if I am missing points
 

Embarrasingly, I am not really sure how many points I had (or should have). When I look at All Points Activity in My Account it does not seem to even have a data point for point withdrawals.

How can you look up how points have been used and deducted from your balance?

Mine shows a certificate issued and a negative number of points associated with that (along with the stay information).