Hacked - points withdrawn
 

I am so frustrated. Knew you guys would understand. Over 100k points withdrawn in three transactions in one day. They changed my email and phone number under profile. I now have a case number, but they won't have any answers for several days. I discovered it when I logged in to book a stay at the beach.

Sorry to hear about your experience, particularly with an expectation to book. :(

One point to consider to minimize the chances of this happening again is to ensure the machines you use to log into your account have up to date internet security suites (typically anti-virus plus anti-malware plus extras). In addition, also consider the "strength" of your password - is it something that is fairly easy to figure out from the perspective of a hacker with bad intentions? Finally, always be wary of someone trying to trick you into giving up your credentials by spoofing a fake Hilton email or website.

BTW, loved the signature fscher! Did you see the news report the other day regarding the meth lab and golf cart chop shop ring that was broken up at the Villages? Those retirees know how to live it up down there!! Haha

Woke up yesterday morning to find a message that my HHonors email was changed at 2AM. Logged in to my account and, surely enough, my points balance decreased by 233,000 but no new activities were listed yet. Called customer service and they opened up 2 tickets (apparently there were 2 separate points.com transfers). I was told that someone will get in touch with me within 2-3 days. We'll see what happens.

It's strange that my password has not been changed and not all available points have been transferred out. I am wondering if this might be an inside job.

Your password is not needed to gain access to your Honors account and the points in it. Anybody we can call, give your name, plus two of: your phone number; your email or your honors account can do what they want with your account.

The bad guys are doing their happy dance at the prospect that soon Honors points will be able to be used for anything on amazon.com and there do not appear to be any plans to make security on Honors accounts any more robust.

Not sure if this is still happening to ppl. But looks like my account got hacekd last night and they transferred 51K to points.com. Have with their fraud dept.

960K Hilton honors points hacked
 

Today while at work I got spammed with emails from Hilton all in a matter of minutes.

"Your Hilton Honors Points Redemption has been confirmed"

There were 10 emails in total. 9 of them my total points balance went down by 100K and the last one 60K leaving me with a little over 1K points left.

I immediately called the number in the email. "Your privacy is important to us, if you did not authorize the point redemption on your account or any changes during the transaction, please contact Hilton Honors at 1-800-446-6677 to speak with a customer service representative."

After about 40 minutes of being juggled between reps explaining my situation, being put on hold, explaining it again. They tell me they created a case with the fraud department and have it as high priority and that the fraud department would contact me shortly.

I looked everywhere on my Hilton account to see where they spent the points. I checked the shopping affiliation to see if they redeemed it for merchandise or gift cards and nothing. I changed most of my profile credentials when I stumbled upon a change to my account that I didn't make. I noticed that there was a foreign airline partner added to the preferences section with a member number that I did not recognize. That's when I realize that they transferred the points to their airline flyer program in increments of 100K since that is the max Hilton lets you transfer per transaction.

I immediately call Hilton back to share with them my discovery in hopes that they can easily reverse or cancel the points transfer. There also is a disclaimer when transferring points to a partner that it can take up to 30 days. The Hilton agent looked into my account and let me know that there is a fraud case open and that it could take 5-7 business days!

I also called the partner airline and let them know that someone accessed my Hilton account unauthorized and transferred my points to their airline program. Wow were they helpful and did they show EMPATHY! I was sad to see how little empathy Hilton customer reps showed a loyal Diamond member of 5 years and were just waiting for their shift to get over. The partner airline told me that the account I gave them is currently locked. She could not see what time or when it got locked but it made me a little bit more at ease knowing that whoever stole my points wasn't going to gain from them.

The purpose of my post is to see if any other Hilton members have had their accounts breached and if they got their points back from Hilton. I am still in disbelief that I could lose 960K points that I accumulated for the past 5 years saving it up for my honeymoon early next year!

I would not worry about it.

I have been the target of fraud in other frequent guest loyalty programs and have never had an issue with having all of my points recovered.

You have already reported it; and Hilton Honors is on the case.

Never call numbers given to you in emails, always get it from another source.

Yes that. But in this case, the number was 1-800-HHONORS so I think it is okay. :)

BTW, I didn't know you could transfer HH points to airlines. :p Must be horrible ratio since I have never read about anyone doing it...

Yeah I got hacked on Monday. I only lost 51K points. I changed my password and have a case open with the fraud dept too. Based on reading through the trhead of other cases, I assume we will get issued new membership # and get our points back... hopefully.

What will more likely happen is that you will keep your membership number; and you will be required to change your password to better protect the Hilton Honors points which will have been redeposited into your account.This discussion will be given a little more time on its own before being merged with the other discussion.

Generally, this is good advice, but what do you do if the number is not available from another source? For example, if the OP had been instructed to call a Fraud Line at an unpublished number at Hilton, what should he or she have done?

Call any published telephone number for Hilton and have the representative on the other end transfer you to the appropriate department...

...or contact HonorsRepresentative via private message here at FlyerTalk.

Thanks for all the feedback and great responses. I really appreciate it.

The password that I had was not an easy one and was 10+ characters long. My new one is a lot longer now.

Still waiting for the fraud department to contact me. I'm guessing I would hear from them near the end of the week/early next week.

My experience does not include Hilton, but in my experience, one part of a large organization might have no idea what the number is for another part of the large organization. Also in my experience, one part of the large organization might be unwilling to connect a caller to another part of the large organization.

If I had learned that almost a million points had disappeared from my account, I would not want to wait for someone to respond to a private message. I'm not saying that waiting isn't the smarter course of action, but I would want to be doing something immediately.

I am more than happy for myself and other FlyerTalk members to learn of the alternative methods which you would advise instead of — or in addition to — the ones I suggested...

...but what I can tell you is that what I suggested is based on my own personal experience and has worked for me.

With all the outsourcing and offshoring of support lines, this is a bigger problem than it should be. But blindly calling a number provided in an email is fraught with hazards. Just like clicking a link in the email, you have to look closely to see if it takes you to the site it says it is. And you have to watch for phony sites like www.hilton.tv instead of www.hilton.com.

Granted in this case the vanity number is pretty safe. But if you can't find the number on their public website or calling the main number doesn't work, then Google the number given to see if it's been reported online.

Canarsie, I believe your advice is spot-on, and I have no better alternatives to offer. On the other hand, I believe your advice would not work in all situations, due to disinterested or dysfunctional organizations. I also noted that I might, in a situation where a large number of points disappeared, panic and take some action, even if that action might turn out to be against my interest, and I would not be surprised if others might act similarly.

I never did say that the advice I offered is foolproof and will work 100 percent of the time; but based on my experience, it is significantly better than the alternative...

...and my initial thought is that if a company is so disinterested or dysfunctional to the point that it is more of a disadvantage than a benefit to me, I might perhaps reconsider conducting business with that company if I have other options available to me.

Fortunately — by my experience, anyway — Hilton is not one of those companies...

My guess (hope) is that you got a disinterested agent. Some companies do hide their internal groups, like security, from the customer. This leaves us to deal with someone that has no say in what the other group does or when, and if they have no means to access them or put you in touch with them it's bad. If you were able to reach out to the agent working your case, I'd bet your experience would be much better.

Yes, the sooner you report the issue the easier it would be to track down the culprit, but so far, all reports I've read have resulted in the points being returned. If you have a need to use those points soon, you may have problems getting them to advance what is expected to be returned, but worth asking.

I agree with you Roger on the point of if we were connected to the security or fraud department things would go a lot smoother. Also I've read a lot of stories of people losing hundreds of thousand of points at a time similar to me. Similar to credit card companies we need to see hotels/airline companies call the customer to confirm abnormal activity on their account such spending large amounts of digital assets in a matter of minutes. There seems to be safeguards around payments but there are no safety guards around loyalty program digital assets.

Loyalty programs are membership benefits being adapted and built up more by many companies for their loyal customers and early adapters of these programs have large amounts of credit that is being targeted by cyber criminals. I hope to see more safeguards around these programs to protect the digital assets of their members.

Account Hacked! 58k points transferred
 

So has anyone had their Hilton account broken into? I got a email saying that I had transferred 58k points to another account which I didn't. I've called to report it and a case was started (though I didn't get the follow up email yet for the affidavit). Any one know how long it takes to get your points back? I was looking to use them and now it's all gone (hopefully for now)!

There really does seem to be an uptick again of hacked accounts, everytime I see a new thread I go and check my account. Makes me think I need to spend some points...

Although it's quite common for the desire to spend when you don't have, if you have travel plans in the near term, let HH know and they may be willing to restore your points quicker than later, or front you the needed points. It doesn't hurt to ask, but be ready to make solid plans and not just a ploy to get the points now.

I had 960K points hacked last week on the 25th and just like you they did the points transfer to an airline. On Friday Hilton restored my points and gave me a new HHonors account number. So it took me 72 hours.

Just an update:

I got my 960K points restored to a new HHonors account number. The whole process took 72 hours. Very pleased with the results.

I'm glad this bad situation had a good outcome, gauntlet3h.

Information from more than a dozen people in Hilton Honors Customer Care, the Diamond Desk and Guest Assistance indicates that there has been a substantial uptick in theft of points over the past couple of weeks and that the fraud was in most cases carried out through points.com . Hilton seems to be following their usual procedure of looking into the cases and refunding the points within two weeks. However, no word at all from the company of the extent of the fraud.

Neither have they made any public mention of it, or what members who escaped harm this time might do to protect themselves from an attack using the same method or something similar. I understand they've asked people who had points stolen to change the preferred email address on their account. There also does not appear to be any movement toward enhancing security on Honors accounts beyond the current requirement of an online password, or, in the case of phone contact, verifying the member's name plus two of their email address, phone number or Honors account number.

I just noticed Delta.com has a new advisory alert on front page this morning -

Advisory! - Protect Your Data

Which leads me to believe there is a similar recurrence over at Delta with redemptions.

Two further updates from reps at Hilton:

1) The points.com route for the recent theft of points appears to be combined with or in addition to an exploit of the new points pooling function. Multiple target Honors accounts are set to share points with [what is probably] a perpetrator's account from which the points are then redeemed.

2) Hilton announced to their reps today that the tie up with Amazon that will allow Honors points to be used on Amazon is now delayed indefinitely. I think it no coincidence. It appears likely that the recent wave of thefts was a test run and that a much larger exploit would be unleashed once the stolen points could be used on Amazon.

Thanks for the info. I personally think that if they restricted redemption to actual Hilton related items like stays or even meals at properties, there were be a severe reduction in these point thefts

It's not wise for companies to publish how their systems were hacked. Even if they plug that one hole it leads people to believe they are lax in security and hackers will try other avenues. How they recover from the hacks tells how much they appreciate their customers. Some systems will that many weeks to research the situation and if they have the ability to point the finger at the customer being behind the loss, they will deny restoring the points.

With many sites now using an email address as the account name, it's not far fetched to think the user will use their email password for access. This causes a cascading failure should they get hacked. Personally, I use separate addresses for each account even if it's not the username so I can see who's feeding my address to spammers.

It would be pretty easy to come across one of these and find or figure out one of the other two. Seems pretty lax to me considering the value of points floating out there. On the website there is an option to pull up a res with the res# and last name. It's not working now and prompts you to log in to view/change.

I wasn't suggesting a detailed explanation of the weakness that was exploited. Instead, a general notice that it appears some accounts were broken into and that members should check their accounts, change email addresses, etc would be prudent. (In my opinion disclosure to clients that data or assets has been stolen really should be mandated by law.)

Hilton Honors FRAUD - Points, Transfers, Pooling
 

A head's up...

I had fraudulent activity on my account overnight - siphoning about 30,000 points in 4 separate transfers. (Of course, I've reported this to Hilton.)

Mid-way thru the night, the fraud also involved an invitation to "Pool" my account with another - it said that I initiated the pooling "invite."

What's VERY interesting, is this activity occurred just barely 24 hours after I called Hilton to open a formal complaint about a specific Hampton property - and about a week after posting negative, but accurate and "constructive" reviews on Trip Advisor, Yelp, and Google.

I've not called Hilton to formally file a complaint in over 10 years - and 24 hours later, I have fraud? Strange coincidence - or rogue employee/manager?

Anyway... Hilton's terms say they're not responsible for replacing the points. However, the agent said it takes 10-14 days for the investigation to occur, and they will replace the points if fraudulent activity occurred.

I cannot find ANY information about rewards program fraud - other than the previous Hilton PIN number fraud a few years ago.

BEWARE

was there fraud other than the pin fraud?

My HHonors account was hacked last Thursday (over a week ago). Over 300k points transferred. Hilton sent an email at 5:30 in the morning to notify me of an email change (they had my phone number....). The agent said it would be resolved in 3 to 5 days, and my points would be put back. That was 8 days ago. 3 days ago when i called to check on the case, the agent told me to email HHfraud, which I did, with no response. Yesterday, the agent said their manager would contact me, which they have not. Today, I'm being told a "supervisor" will contact me within 24 hours...Not holding my breath....I've been a loyal Hilton guy for years, even though my coworkers try to switch me to Marriott.

Obviously, Hilton doesn't care. I wonder if American Express cares that they lose a member (hhonors Amex user), when I switch to Marriott and a Marriott Visa?...

is this happening with any of the other hotel companies?

hgblues, if huge business spend on hilton amex, amex may help, there were reports on FT of amex helping get (other kinds of) resolution with loyalty programs