Today Krebs is reporting on the breach.

Other media are picking the story up, e.g. arstechnica here.

The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward.

EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO).

Posted on Loyalty Lobby too. Nice job Hilton.

http://loyaltylobby.com/2015/03/23/h...e-yours-again/

Time to change your PW again.

Actually; not. This breach didn't require any password, only your HHonors number.

Hilton: When are you going to disable access via the 4 digit pin?
 

In four days the above post will be ONE YEARS OLD.

And yet, Hilton has still not addressed this problem.

I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.

But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).

This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.

Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?

SAME HERE! :td:

As posted here http://www.flyertalk.com/forum/24674462-post435.html it looks like they will be taking the PINs offline later this month. Now we are talking about HH IT so there's no telling.

Login with PIN has finally been disabled
 

Woohoo.

Just now saw that I couldn't log in with my PIN. And there was no CAPTCHA.

And after logging in with my password I saw this on my Account Summary page:

Don't everyone woohoo to much. The pin still lives in their system they just removed it from the website. I just used it to login to the Conrad app. The app wouldn't let me login with username/account number and password. I did the account number and pin and it let me right in. Needs to be brought to Hilton's attention.

I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?

If you could tell us a little more we'd have an idea of what to look out for.

I don't believe you are. How do you know the telescammers got data from Hilton, anyway?

They offer a "free Hilton" night because they know I am a HHonors memeber since they got my data from there. And the timing is just a few weeks after the HHonors data breach

Maybe. I've been offered free Hilton nights on telescams that went to a phone number that isn't in my Hilton profile.

Yes, this...

Just like with email scams, the more people they hit the higher the odds of getting someone to bite. Data mining for specific numbers/email addresses allow them to target specific audiences. They are getting better with their presentations and I can see many people falling prey. I especially like the emails from the Director of the FBI approving my dealings with the Bank of Nigeria!

Article here mentions Hilton accounts being sold for just 15 USD.

http://www.dailymail.co.uk/news/arti...er-s-List.html

I just got another email from a Hilton welcoming me, Dietmar, for an upcoming stay and reminding me that I have over 900,000 points. Only I'm not Dietmar. It's been a few months since I got one of these, but it's clear that Hilton still has a long way to go to clean up their security act.

Hilton Hacked?? news story
 

FYI


http://www.foxnews.com/travel/2015/0.../?intcmp=hpbt3

While the story posted is from a different source, I didn't see that it was already being discussed in another thread. My apologies.

This is still happening. Maybe if I out the customers something will get done?

OK, Philip who has a reservation on Oct 11th and is a Diamond member with 238594 points in his account, Hilton is copying me on your reservations. I will leave off your last name and HH Account number here, but if you see this please raise the issue with Hilton.

There are a bunch of others who I get copied on. All Diamonds and some with millions of points. I have their full names and HH account numbers because of course Hilton includes those in the emails they send out.

Hilton Worldwide press release regarding POS malware:

http://news.hiltonworldwide.com/inde...m/detail/29692

Millions of Hilton hotels customers told to check bank accounts
 

Millions of Hilton hotels customers told to check bank accounts after chain reveals it was victim of hackers who targeted credit card information

• The malware targeted specific card payment information through hotel tills
• The US firm did not say whether data had actually been taken
• It also declined to state which British hotels had been involved
• The hack took place between November 18 and December 5, 2014, and April 21 and July 27, 2015. Card users are told to check their accounts

Read more: http://www.dailymail.co.uk/news/arti...#ixzz3sbJcYQAP

Thanks for the updates, it's good to know. ^

Last week I spent one night at Hilton and also made a P&M-award reservation to another Hilton.

Today I got a call from my credit card company that they due to a data breach towards Hilton, they are forced to cancel my current CC.

This is very inconvenient, as I now don’t have a working credit card thanks to Hilton. Hopefully this doesn’t happen again in the future....

what's more, I later found out that this also caused a severe problem with my car rental, as Sixt wasn't able to block a deposit from my credit card as
the credit card company had tighten the security limits of my card automatically due to this Hilton data breach. Really annoying!

How can I tell if 1.5 million points expired or 0 points is a glitch?
 

Husband's account was at around 1.5 million points last Oct and he recalls buying points in 2015.

I'm looking at 0 points in his account right now (everything is 0) and I can't tell if we let them expire in the past few months or if it's a glitch.

Does the points activity screen normally show activity beyond a year -- would it show he purchased points in early 2015? Or does the screen normally only show activity in the past 12 months?

No. Your account should only show points earned and stays for the previous 12 months.

You should call HH.
http://www.flyertalk.com/forum/hilto...thread-28.html

That's not at all what I wanted to hear.... Thanks for your response. Do you know if the program has been recently offering challenges to re-activate some expired points or is that a thing of the past?

If you look at the FAQ thread (stickied near the top) there is a link to the "Help my points have expired" thread.

Thanks for your replies! I just wanted to update that a phone call clarified that his points had expired 3 weeks prior and they let him buy some points to re-instate all his points. Huge relief, thanks!

[Advice] HHonors Account was Hacked and Closed
 

I don't where else I can help on this issue. I have tried to contact Hilton Customer Service for almost 3 months, but it's getting nowhere.

My account was hacked in October. They changed my email and everything on my account. I didn't know that my account was hacked until the end of the November when I tried to redeem an award stay. The customer service told me to contact Hilton Lost Prevention.

I emailed Hilton Lost Prevention in December 1st, 2016. I received no response from them even though they said within 7-10 business days. I contacted Hilton Customer Service again January 12th and they created a special message for Lost Prevention.

Lost Prevention finally replied and said that I sold hotel stays/reservations to guests on a website - which I never did! My account was hacked and hacker used my account for these suspicious activity.

I contacted Hilton Again on January 19th to ask whether Lost Prevention Team can do to restore my account. No email followup at all. I called on again February 13th, and they said Lost Prevention will not assist further with the investigation and it's closed period.

I had 150,000+ Hilton Points in the account and Hilton wouldn't investigate into the issue. I have 2 credit cards (Citi and Amex) linked to the HHonor Account. Almost 3 months of calling Hilton, What should I do at this point?


Timeline
Oct. 21st - An email notification that account email has been changed

Nov. 30th - tried to book a stay, but customer couldn't find the account

Dec. 1st - Called Hilton Customer Service, informed account is closed. Told to contact Lost Prevention. I emailed Lost Prevention on the same day
Dec. 15th - After 10 business days, I sent a reminder to Lost Prevention
Jan. 11th - No responses after 30+ days, I called Hilton and they sent a message to Lost Prevention
Jan. 12th - finally received an email from Lost Prevention stating that my account was closed due to suspicion activity
Jan. 27 - Called Hilton again and see what Lost Prevention can do to restore my account
Feb. 13 - Called Hilton again, and this time they said Lost Prevention wrote in the message to refer to the email that was sent out on Jan 12.

Sorry about your loss of points, but the first question that you will be asked by others is why did it take you almost 6 weeks to contact them after you received an email notification that your email address has been changed knowing that you did not make such a change? If you had immediately contacted them and said that you didn't make the change, things would probably have worked out much better for you in the end.
As it stands now, I don't see any other recourse for you. Loss prevention has closed your account for good and refuse to even consider reopening it. Maybe someone else has an idea that may help you.

To be fair, going off another recent thread here about loss prevention that isn't the be all and end all of the game.

You could consider going above loss prevention to the top and seeing what the bosses can do about it.

Exactly, and this isn't garden-variety victim-blaming. It would take a pretty large feat of good will for them to believe that you weren't complicit in the matter, given that you didn't pursue any recourse when the event actually happened, even after they gave you notice - which you acknowledge receiving.

New member, no location shown, strange and pretty implausible story.

Let me run it thru www.snopes.com!

+1 , the not contacting them after getting their email will be the knife in the OPs back. The OP can try going up the ladder but if the pts were earned from the CCs and not stays then I doubt HH will be willing to do anything If the OP had Diamond or Gold from stays then maybe a bone will thrown their way. Too much info not supplied to make a qualified guess

I didn't found out about the email until I found an email notification in December. It wasn't that I discovered the email in October and did nothing about for 6 weeks.

Lost Prevention should have all the logs and activities of the account. Couldn't the Lost Prevention look at the activity and make a reasonable judgment that the account was hacked?

Sorry, but this comment contributes nothing. But I understand you're skeptical because of my profile. Some people would just create new profile to create story or troll.

What do you expect log-in activity to say? Log-ins from different parts of the world? Many Honors members travel frequently and legitimately use VPNs, same as the criminals. They probably also get millions of brute force log-in requests daily, so digging through that to find one Honors member is unlikely to be productive.

You also don't mention whether you are a long-time member with lots of stays over the years, or whether you only accumulated points through recent credit card churning and didn't even get around to spending the points on yourself. All of these things help paint a picture of whether you are a regular guest who just got hacked, or whether you are somebody who Honors doesn't mind having as an ex-member.

And, for what it's worth, Flyertalk tends to be much more sympathetic towards frequent, long-time posters as opposed to people whose first post is a complaint against a company. There are dozens of sign-ups whose first and only post is to rant about something.

How do you know what the hacker did to access your profile? If your login and security info is easy to guess, they could've simply gotten into your account after one or two attempts. That sort of activity wouldn't indicate anything unusual.

If you didn't log in for several weeks, yet the other person logged in several times from the same system/phone/IP address, it would make it appear that YOUR login was the one that is unusual, and you could be the hacker!

HHonors Account Hacked and Miles Stolen
 

Woke up this morning to an email that I had transferred all but 9,000 of my points to someone else's HHonors account. They must have gotten my username / password somehow. I am pretty on the ball when it comes to online security so I'm a bit concerned. Diamond desk rep said it would take 7-10 business days to get the points back. :confused:

It could also be a case of someone at Hilton fat fingering an HH# for a legitimate transfer for another customer. A couple of weeks ago I was on the phone with a rep for my credit union trying to set up an online id for an account I have with my mother. I gave her the login I wanted to use and she set it up, gave me a temp password and when I went to create a permanent password someone else's phone number came up in the profile. I questioned what the phone number was and she realized that she had set up the id on someone else's account. It's crazy that I was that close to logging into someone else's bank account.

I agree -- particularly because 150k points are only good for something like 3 to 5 free nights.

Bob H