So, looks like this happend to me. I received an email this morning saying my email address had been changed, with only the domain changed to @gmail.net (which as far as I know doesn't exist). My point balance is down to 132pts. Recent activity doesn't show anything suspicious. I'm currently on hold trying to get it figured out.

Someone was trying to hack my account but recently setup new password protected me. Which makes me think, there must be some database of usernames and passwords available.

I changed the password to more complicated after recent reports and also made some reservations to protect my points.

How do you know someone was trying to hack your account?

My password didn't work and had an error: too many attempts to logon with wrong password.

My account was hacked this morning. Room was actually booked for Sydney Hilton with person, Sun Bo, staying there (I'm in the US). Couldn't get local Hilton to call the authorities. I think they scanned the person's ID. Not that I think anything will come of it, but I am going to make a complaint to the local authorities.


Is all this coming from the breach 3-4 years ago or has there been a new breach in HHonors?

Remember, the person staying is not likely the person that hacked your account. Would not be surprised if the guest is not able to give adequate ID on where they bought the rez.

In the IHG forum, there is a similar thread and many hacked accounts reported.

One poster did some research and came to the conclusion his account was being hacked because IHG phone booking actually only needs Account Name and Account number. Such information is readily available for sale on the Chinese Taobao site (Alibaba) at $30 per night.

So it may be the same cases here for the HHonors accounts.

Frauds in Mainland China are so rampant that IHG has put in restrictions on accounts with addresses in Great China, on award night redemption. It also changed the Point Break reservation by greatly restricted the nights at the same property could be booked during Point Break promotion. IIRC it is only 2 nights in total versus before there is no limit - and cheaply obtained reward nights are being sold online.

Another datapoint here. My Hilton account was hacked on October 19th.

My password was changed and my account email address was set to [email protected] (where 'my.name1' is my real name followed by the number 1), and a Chinese phone number was added to the account. The attackers used 288,000 points to book a stay at the Shanghai Waldorf Astoria, in the name of a Mr Lai beginning on October 21st.

The only reason I even spotted this was that my Hilton app on my iPhone sent me a notification saying that it was time to check in which prompted me to investigate!

It is absolutely crazy that Hilton don't send confirmation emails when account details are changed or when a password reset/change happens, and when points bookings are made on the account. At no point have I received any emails from Hilton about any of the activity on my account - the only email I've had was the password reset email sent from the service center.

I contacted Hilton via phone and they were very quick in restoring access to the account - it sounded like it was something they were well versed in dealing with, but they say it'll be a few days before the points are returned. They were not very interested in tracing the attackers.

Of course, now I'm paranoid about all my points & status accounts. Why on earth aren't more of them using 2FA?

Yeah, I just got this today as well. Grrr. Time to change passwords again.

Hilton account hacked and points transferred to points.com
 

As thread title said, I got my points stolen. I'm working with Hilton to get this resolved. Pretty pissed.

Check Your Account Often
 

My account was recently hacked. I normally don't check it that often but will in the future. I always log into my account when I need to make a reservation. I about fell out of my chair when my substantial point balance was at 8k! I'm not sure if I received more prompt attention from the fraud unit because I'm Diamond, but they resolved it quickly. They did close the old account and I have a new account number to memorize, but I was extremely pleased in the manner this was handled. Not only did they restore my points, but they gave me some bonus points for my trouble. They will be able to track the person down through the two award bookings they made. Only thing more satisfying would be to know who it was, but I do have the phone and e-mail they provided when they changed my contact info on the account.

Same thing happened to me. I got my points back about 10 days later. PITA, sure, but in the end the biggest inconvenience was that I was assigned a new Honors #. I'm not sure if this stolen info is coming from their end or my end either.

Was your lifetime status up until that point preserved in the new account?

I booked an award stay, and got an email message from Hilton about it that read (between the lines) like they know they're getting hacked and checking on award bookings. I don't recall getting that message before (though it might be because most of my stays are in the US and this award booking was for London).

Stolen HH Points from Account
 

Anyone ever experience having all their points stolen. Last night somehow someone took all 1.2 MM points and made 100000 redemptions all to aeroplan. Never even heard of aeroplan. Hilton is investigating, but curious to hear from others. It had to be automated as it was stolen in seconds.