Great job sqeakr! Thanks for making the sticky. ^



I for one have been hoping that the HHonorsRepresentative would comment on all the recent hacks. Erin posted the following in the http://www.flyertalk.com/forum/hilto...a-logging.html thread:
But she makes no mention as to why HH is implementing this extra security measure now.

I'll repeat my questions I posted above:
I'm re-asking these questions, because if in fact there's been no other reporting of this data breach, then currently HH has been able to come away pretty scot-free. And that just doesn't seem right.

What other business, where customer loyalty is such a key to success, could have been notified in public in April of serious website security issues (as HH was according to posts in the beginning of this thread), then have encountered multiple data breaches, which were reported in a public forum where their company has a representative present, and then merely add a new security feature to their website, and make no further comment?

When Target was breached, for instance, apologies were issued, discounts were offered.

I'm glad to see that the FTers who were hacked are receiving their points back. But what about the inconveniences they suffered waiting for their accounts to be reopened, not to mention the aggravation and stress I'd imagine accompanied their ordeal. What about the fact that if points could be taken, then addresses, phone numbers, travel habits were also exposed.

I'd like to see HH acknowledge this breach publicly. And I'd like to see HH not just re-instate the stolen points, but offer proper compensation to those that were hacked.

And, of course, I'd like to see HH actually address their website vulnerabilities rather than use a CAPTCHA bandaid that was not designed for the purpose HH is using it for.

Hilton's not some mom and pop outfit afterall! Where's Hilton's Mea Culpa?

Completely Agee.. In another post I outlined 3 hacks in the last 10 days and lost 258,000 points.

They say they'll put them back in but I'll believe it when I see it. I have to open a new email account , new username , new passwords, new pins etc and I have spent $150 calling the Diamond Desk from Thailand as well as wasting valuable hours.

I have the same email on 50 different businesses , banks, airlines etc and never a problem.

And Hilton would like to sweep it under the rug. They have a bunch of incompetents in the IT dept and the Billion $ company has their head in the sand.

Hello Marriott

By the way after changing all those things mentioned, I got no response from Hilton either at old or new email address.

So beware!!!

When mine was hacked, they deleted my primary email but forgot to delete my secondary email I had listed on my account. So I got an email stating that my primary address was deleted and it had the email of the user that hacked my account CC'd.

They instantly re hacked my account. Called again from Thailand finally got someone with a brain after 4 overseas calls and I don't know how many hours.

Changed my # while I was on the phone , merged the information and I set up all new passwords, pins, usernames etc.

Hopefully that will work but I have no faith in Hilton and anyone out there if you are smart . Protect yourself because all your information including credit cards are available to these Hackers.

And Hilton is doing nothing!!!

Website down again today - captcha now involves words instead of just a few numbers. This is getting out of hand...

Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.

How much easier can it be. They hacked me 3 times after they supposedly fixed it.

No, I would prefer they implement a strong password policy instead of a 4 number pin that is figured out in short matter of time.

With 4digit numeric pins, solution is easy enough.... HH can simply stop brute strength attacks by implementing an increasing interval after nn failed password attempts.

eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'

if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts

if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)

AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.

That doesn't work at all: they get 1,000,000 account numbers, and try each one with one PIN. On average, they'll crack about 100 of them, without trying any account twice.

I think they typically use proxies to change their IP address. It's not easy to enforce.

The issue of which IP hackers use is not relevant.

HH system would be controlling the 30min/120min password entry lock this methedology is widely used elswhere when using simply 4x numeric passwords (and sometimes even password entry) , not some cookies on the members browser.

The other post saying hackers will try 1,000.000 accounts with same password presupposes a list of 1million good account numbers, a randomly created list of a million accounts will not be possible

Also 4numeric passwords are not randomly disributed, users need values easier to remember, often dates (not necessarily birthdays/anniversary dayes though) so nnnn is often aa + bb where aa=1-12/1-31 and bb=1-12/1-31 and in effect less than 20% of possible number pin combos account for 80% of actual pin numbers.

Sign-in is pretty useless these last three days for me.
Enter my password (number) and Captcha words (they seem to have stopped number pictures) and upon signing in I get the session expired page. Start again and same outcome. I have made six personal reservations despite this carry-on and am trying to give them a seventh business travel booking.
As I live in New Zealand my most active time on the Hilton website usually tends to be when they assume most are asleep, so I often bump into site maintenance signs, too.

Hi, everyone.

I made an account on this forum to make you all aware of a blackhat forum where the selling of your cracked Hilton HHonors accounts are bought and sold.

I am a member of said forum, but I think that it is wrong that they are doing this to you all.

The website is http://leakforums.org or http://leak.sx. They're both the same website. Now, you'll have to create an account on the forum and then visit this forum thread http://leakforums.org/thread-367084. You can't see it without first making an account.

The thread looks like this
The name of this seller is Imperfectluck.

Maybe presentation of some of this stuff to Hilton will make them a bit more motivated to fix things.