Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here. The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward. EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO). |
Originally Posted by IMH
(Post 24551877)
Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here. The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward. EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO). http://loyaltylobby.com/2015/03/23/h...e-yours-again/ Time to change your PW again. |
Originally Posted by mnredfox
(Post 24553439)
Posted on Loyalty Lobby too. Nice job Hilton.
http://loyaltylobby.com/2015/03/23/h...e-yours-again/ Time to change your PW again. |
Hilton: When are you going to disable access via the 4 digit pin?
Originally Posted by anative
(Post 22722174)
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login. This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries. SCARY. An email to Hilton's Privacy Department ([email protected]) has gone unanswered. And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Originally Posted by JBD
(Post 24659386)
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Originally Posted by JBD
(Post 24659386)
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem. I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so. But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number). This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks. Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin? |
Login with PIN has finally been disabled
Woohoo.
Just now saw that I couldn't log in with my PIN. And there was no CAPTCHA. And after logging in with my password I saw this on my Account Summary page: HILTON HHONORS ACCOUNT PASSWORDS As of April 29, 2015, all members will be required to update their PIN, or current password, to a new & secure password. Update your password now by visiting the Personal Information section of your account profile. If you have already updated your password on or after March 10, 2015, no further action is required. |
Don't everyone woohoo to much. The pin still lives in their system they just removed it from the website. I just used it to login to the Conrad app. The app wouldn't let me login with username/account number and password. I did the account number and pin and it let me right in. Needs to be brought to Hilton's attention.
|
I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?
|
Originally Posted by MasterGeek
(Post 24789558)
I am now getting fraudulent calls from telemarketers/scammers due to this data breach.
|
Originally Posted by MasterGeek
(Post 24789558)
I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?
|
Originally Posted by sethb
(Post 24799559)
I don't believe you are. How do you know the telescammers got data from Hilton, anyway?
|
Originally Posted by MasterGeek
(Post 24802496)
They offer a "free Hilton" night because they know I am a HHonors memeber since they got my data from there. And the timing is just a few weeks after the HHonors data breach
|
Originally Posted by sethb
(Post 24803636)
Maybe. I've been offered free Hilton nights on telescams that went to a phone number that isn't in my Hilton profile.
Just like with email scams, the more people they hit the higher the odds of getting someone to bite. Data mining for specific numbers/email addresses allow them to target specific audiences. They are getting better with their presentations and I can see many people falling prey. I especially like the emails from the Director of the FBI approving my dealings with the Bank of Nigeria! |
Article here mentions Hilton accounts being sold for just 15 USD.
http://www.dailymail.co.uk/news/arti...er-s-List.html |
I just got another email from a Hilton welcoming me, Dietmar, for an upcoming stay and reminding me that I have over 900,000 points. Only I'm not Dietmar. It's been a few months since I got one of these, but it's clear that Hilton still has a long way to go to clean up their security act.
|
Hilton Hacked?? news story
|
While the story posted is from a different source, I didn't see that it was already being discussed in another thread. My apologies.
|
This is still happening. Maybe if I out the customers something will get done?
OK, Philip who has a reservation on Oct 11th and is a Diamond member with 238594 points in his account, Hilton is copying me on your reservations. I will leave off your last name and HH Account number here, but if you see this please raise the issue with Hilton. There are a bunch of others who I get copied on. All Diamonds and some with millions of points. I have their full names and HH account numbers because of course Hilton includes those in the emails they send out. |
Hilton Worldwide press release regarding POS malware:
http://news.hiltonworldwide.com/inde...m/detail/29692 As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a seventeen-week period, from November 18 to December 5, 2014 or April 21 to July 27, 2015. |
Millions of Hilton hotels customers told to check bank accounts
Millions of Hilton hotels customers told to check bank accounts after chain reveals it was victim of hackers who targeted credit card information
• The malware targeted specific card payment information through hotel tills • The US firm did not say whether data had actually been taken • It also declined to state which British hotels had been involved • The hack took place between November 18 and December 5, 2014, and April 21 and July 27, 2015. Card users are told to check their accounts Read more: http://www.dailymail.co.uk/news/arti...#ixzz3sbJcYQAP |
Thanks for the updates, it's good to know. ^
|
Last week I spent one night at Hilton and also made a P&M-award reservation to another Hilton.
Today I got a call from my credit card company that they due to a data breach towards Hilton, they are forced to cancel my current CC. This is very inconvenient, as I now don’t have a working credit card thanks to Hilton. Hopefully this doesn’t happen again in the future.... what's more, I later found out that this also caused a severe problem with my car rental, as Sixt wasn't able to block a deposit from my credit card as the credit card company had tighten the security limits of my card automatically due to this Hilton data breach. Really annoying! |
How can I tell if 1.5 million points expired or 0 points is a glitch?
Husband's account was at around 1.5 million points last Oct and he recalls buying points in 2015.
I'm looking at 0 points in his account right now (everything is 0) and I can't tell if we let them expire in the past few months or if it's a glitch. Does the points activity screen normally show activity beyond a year -- would it show he purchased points in early 2015? Or does the screen normally only show activity in the past 12 months? |
No. Your account should only show points earned and stays for the previous 12 months.
You should call HH. http://www.flyertalk.com/forum/hilto...thread-28.html |
Originally Posted by jerry a. laska
(Post 27115768)
No. Your account should only show points earned and stays for the previous 12 months.
You should call HH. http://www.flyertalk.com/forum/hilto...thread-28.html |
Originally Posted by fishee
(Post 27115780)
That's not at all what I wanted to hear.... Thanks for your response. Do you know if the program has been recently offering challenges to re-activate some expired points or is that a thing of the past?
|
Originally Posted by fishee
(Post 27115645)
Husband's account was at around 1.5 million points last Oct and he recalls buying points in 2015.
I'm looking at 0 points in his account right now (everything is 0) and I can't tell if we let them expire in the past few months or if it's a glitch. Does the points activity screen normally show activity beyond a year -- would it show he purchased points in early 2015? Or does the screen normally only show activity in the past 12 months? |
[Advice] HHonors Account was Hacked and Closed
I don't where else I can help on this issue. I have tried to contact Hilton Customer Service for almost 3 months, but it's getting nowhere.
My account was hacked in October. They changed my email and everything on my account. I didn't know that my account was hacked until the end of the November when I tried to redeem an award stay. The customer service told me to contact Hilton Lost Prevention. I emailed Hilton Lost Prevention in December 1st, 2016. I received no response from them even though they said within 7-10 business days. I contacted Hilton Customer Service again January 12th and they created a special message for Lost Prevention. Lost Prevention finally replied and said that I sold hotel stays/reservations to guests on a website - which I never did! My account was hacked and hacker used my account for these suspicious activity. I contacted Hilton Again on January 19th to ask whether Lost Prevention Team can do to restore my account. No email followup at all. I called on again February 13th, and they said Lost Prevention will not assist further with the investigation and it's closed period. I had 150,000+ Hilton Points in the account and Hilton wouldn't investigate into the issue. I have 2 credit cards (Citi and Amex) linked to the HHonor Account. Almost 3 months of calling Hilton, What should I do at this point? Timeline Oct. 21st - An email notification that account email has been changed Nov. 30th - tried to book a stay, but customer couldn't find the account Dec. 1st - Called Hilton Customer Service, informed account is closed. Told to contact Lost Prevention. I emailed Lost Prevention on the same day Dec. 15th - After 10 business days, I sent a reminder to Lost Prevention Jan. 11th - No responses after 30+ days, I called Hilton and they sent a message to Lost Prevention Jan. 12th - finally received an email from Lost Prevention stating that my account was closed due to suspicion activity Jan. 27 - Called Hilton again and see what Lost Prevention can do to restore my account Feb. 13 - Called Hilton again, and this time they said Lost Prevention wrote in the message to refer to the email that was sent out on Jan 12. |
Sorry about your loss of points, but the first question that you will be asked by others is why did it take you almost 6 weeks to contact them after you received an email notification that your email address has been changed knowing that you did not make such a change? If you had immediately contacted them and said that you didn't make the change, things would probably have worked out much better for you in the end.
As it stands now, I don't see any other recourse for you. Loss prevention has closed your account for good and refuse to even consider reopening it. Maybe someone else has an idea that may help you. |
Originally Posted by ceebee100
(Post 27937293)
Loss prevention has closed your account for good and refuse to even consider reopening it. Maybe someone else has an idea that may help you.
You could consider going above loss prevention to the top and seeing what the bosses can do about it. |
Originally Posted by ceebee100
(Post 27937293)
Sorry about your loss of points, but the first question that you will be asked by others is why did it take you almost 6 weeks to contact them after you received an email notification that your email address has been changed knowing that you did not make such a change? If you had immediately contacted them and said that you didn't make the change, things would probably have worked out much better for you in the end.
|
New member, no location shown, strange and pretty implausible story.
Let me run it thru www.snopes.com! |
Originally Posted by ceebee100
(Post 27937293)
Sorry about your loss of points, but the first question that you will be asked by others is why did it take you almost 6 weeks to contact them after you received an email notification that your email address has been changed knowing that you did not make such a change? If you had immediately contacted them and said that you didn't make the change, things would probably have worked out much better for you in the end.
As it stands now, I don't see any other recourse for you. Loss prevention has closed your account for good and refuse to even consider reopening it. Maybe someone else has an idea that may help you. |
Originally Posted by ceebee100
(Post 27937293)
Sorry about your loss of points, but the first question that you will be asked by others is why did it take you almost 6 weeks to contact them after you received an email notification that your email address has been changed knowing that you did not make such a change? If you had immediately contacted them and said that you didn't make the change, things would probably have worked out much better for you in the end.
As it stands now, I don't see any other recourse for you. Loss prevention has closed your account for good and refuse to even consider reopening it. Maybe someone else has an idea that may help you. I didn't found out about the email until I found an email notification in December. It wasn't that I discovered the email in October and did nothing about for 6 weeks. Lost Prevention should have all the logs and activities of the account. Couldn't the Lost Prevention look at the activity and make a reasonable judgment that the account was hacked?
Originally Posted by ozstamps
(Post 27937828)
New member, no location shown, strange and pretty implausible story.
Let me run it thru www.snopes.com! |
Originally Posted by jcao
(Post 27941314)
Lost Prevention should have all the logs and activities of the account. Couldn't the Lost Prevention look at the activity and make a reasonable judgment that the account was hacked? You also don't mention whether you are a long-time member with lots of stays over the years, or whether you only accumulated points through recent credit card churning and didn't even get around to spending the points on yourself. All of these things help paint a picture of whether you are a regular guest who just got hacked, or whether you are somebody who Honors doesn't mind having as an ex-member. And, for what it's worth, Flyertalk tends to be much more sympathetic towards frequent, long-time posters as opposed to people whose first post is a complaint against a company. There are dozens of sign-ups whose first and only post is to rant about something. |
Originally Posted by jcao
(Post 27941314)
I didn't found out about the email until I found an email notification in December. It wasn't that I discovered the email in October and did nothing about for 6 weeks.
Lost Prevention should have all the logs and activities of the account. Couldn't the Lost Prevention look at the activity and make a reasonable judgment that the account was hacked? If you didn't log in for several weeks, yet the other person logged in several times from the same system/phone/IP address, it would make it appear that YOUR login was the one that is unusual, and you could be the hacker! |
HHonors Account Hacked and Miles Stolen
Woke up this morning to an email that I had transferred all but 9,000 of my points to someone else's HHonors account. They must have gotten my username / password somehow. I am pretty on the ball when it comes to online security so I'm a bit concerned. Diamond desk rep said it would take 7-10 business days to get the points back. :confused:
|
Originally Posted by nedyah700
(Post 28489241)
Woke up this morning to an email that I had transferred all but 9,000 of my points to someone else's HHonors account. They must have gotten my username / password somehow. I am pretty on the ball when it comes to online security so I'm a bit concerned. Diamond desk rep said it would take 7-10 business days to get the points back. :confused:
|
Originally Posted by ozstamps
(Post 27937828)
New member, no location shown, strange and pretty implausible story.
Let me run it thru www.snopes.com! Bob H |
All times are GMT -6. The time now is 12:47 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.