Consolidated "Hilton Honors Account Hacked" thread
 

After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.

In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.

This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.

SCARY.

An email to Hilton's Privacy Department ([email protected]) has gone unanswered.

Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.

Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.

Thank you anative for starting this thread.

+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.

Ooops, misread "PIN" for "password"

FYI: Also possible to login with username and 4-digit PIN.

Good point.

I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies.

I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.

This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data.

https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf

I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.

Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?

I can add a card, but the old one still cannot be deleted.

I managed to delete an active AMEX card and leave an unactive Visa card on file. I tried to delete this unactive card, but as mentioned above, the site would not let me. Doesn't really matter as the Visa card account has been closed due to some fraudulent activity some months ago (not related to Hilton.)

In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.

Did the "website person" tell you how many attempts in a certain period of time you get before they block the account?

That doesn't mean they aren't encrypting the passwords.

This is what bamboola and I have tried to do, but the "delete" function won't work.

Here's a work-around that I tried last night. I set the expiration date to April 2014 and got an error message. I then set the expiration date to May 2014 and managed to delete one of the two credit cards. I presume that after May 2014, I will be able to delete the other credit card.