Consolidated "Hilton Honors Account Hacked" thread
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login. This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries. SCARY. An email to Hilton's Privacy Department ([email protected]) has gone unanswered. |
Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.
Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information. Thank you anative for starting this thread. |
+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.
|
Ooops, misread "PIN" for "password"
|
FYI: Also possible to login with username and 4-digit PIN.
|
Originally Posted by GoingGal
(Post 22722824)
...Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information..
I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies. |
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.
This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data. https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf |
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by bamboola
(Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by sdsearch
(Post 22732496)
Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?
|
Originally Posted by bamboola
(Post 22732546)
I can add a card, but the old one still cannot be deleted.
|
Originally Posted by bamboola
(Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by anative
(Post 22722174)
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.
Originally Posted by anative
(Post 22730019)
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.
|
Originally Posted by GoingGal
(Post 22734418)
In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.
|
Originally Posted by cjd
(Post 22735011)
This is what bamboola and I have tried to do, but the "delete" function won't work.
|
I too called the Diamond desk to try and getting my credit card removed from my profile. The person I spoke with tried and tried from her end, putting me on hold a number of times to get help but also was never able to remove it. I'll try the trick of changing the expiration date next.
I really wish Hilton would take this issue more serious and fix this security hole. |
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person. I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address? |
I'm bumping up this thread in the hope that our HHonorsRepresentative might be able to at the least pass our concerns along. I'll also PM Anthony with a link to this thread.
|
And since I've resurrected this issue, just wanted to add what my concern is -
I'm not worried about my credit card info because that's the one area where I'm protected. If there's ever a fraudulent charge on my AMEX or MC I'm not responsible for it, the credit card company will cover it. However, what would happen if someone got into my account and took my points? I have a considerable balance and consider it as I do my other assets. But what protection would HH provide if someone was able to either transfer the points out of my account, or use them themselves for an award reservation? |
That truly is the biggest concern. Someone taking all your points.
No one can get your CC info from the account since it's hashed when you put it in (not hashed per se but turned into ***...hashing is a whole other deal and really how you should store passwords...salted hashes, slow hash, etc). You can only see the last 4 digits. You can see the expiration too which isn't great either. |
Originally Posted by stimpy
(Post 22920719)
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person. I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address? |
Originally Posted by JBD
(Post 23165040)
I'm bumping up this thread in the hope that our HHonorsRepresentative might be able to at the least pass our concerns along. I'll also PM Anthony with a link to this thread.
|
Hilton HHonors account hacked--should account number be changed?
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure. Anyone have any similar experience? |
Originally Posted by card1953
(Post 23606246)
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure. Anyone have any similar experience? |
It can't hurt to change the number, but depending on what you know of the circumstances of the hack, it might be more or less worth the time and hassle for you.
|
Originally Posted by Baze
(Post 23607125)
Don't think you need to change the account number but definitely change you user name and password to get into the account.
When I got the Hilton HHonors website I see it ask for: Username or HHonors # In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!Password or PIN So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those). But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see. (Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.) |
Originally Posted by card1953
(Post 23606246)
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure. Anyone have any similar experience? http://www.flyertalk.com/forum/hilto...la-lumpur.html And on that thread you'll see I linked this thread, which unfortunately failed to prompt Hilton to rectify this situation: http://www.flyertalk.com/forum/hilto...-security.html When is Hilton going to address their website security issues? How many people need to have their accounts hacked before something's done! (Your HH account number is easily "stolen": it appears on folios left in front of doors, it's on emails sent to easily hacked yahoo accounts, etc. And with your account number in hand all a hacker then needs to do is figure out a mere 4 digit pin number.) |
Originally Posted by sdsearch
(Post 23610805)
Huh???
When I got the Hilton HHonors website I see it ask for: Username or HHonors # In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!Password or PIN So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those). But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see. (Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.) |
Originally Posted by sdsearch
(Post 23610805)
Huh???
. . . But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see. (Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.) |
My Hilton HHonors account was also hacked on 9/29/14, and over 200,000 points were used for a merchandise purchase. I contacted guest services and the points were quickly returned to my account. Unfortunately, they also said that the account information should stay the same, because that would help the fraud protection department track down the culprit. Against my own best judgement, I agreed. Two days later, another 230,000 points are missing from my account. Guess it's time to spend another hour on the phone with guest services!
|
Mine HHonors account was hacked yesterday, they stole 84,000 points to buy merchandise. It's taking me a long time to get this fixed.
Anyone with an HHonors account, change your PIN asap!!! Looks like someone from Russia did it. |
Account temporarily closed by HHonors
Originally Posted by fridayskm
(Post 23613521)
My Hilton HHonors account was also hacked on 9/29/14, and over 200,000 points were used for a merchandise purchase. I contacted guest services and the points were quickly returned to my account. Unfortunately, they also said that the account information should stay the same, because that would help the fraud protection department track down the culprit. Against my own best judgement, I agreed. Two days later, another 230,000 points are missing from my account. Guess it's time to spend another hour on the phone with guest services!
Reading the last few posts it is clear that major HHonors account hacking is in progress. |
Originally Posted by controller1
(Post 23612836)
United still allows sign in with FF# and PIN. Wish they would get rid of the PIN.
|
same problem
My account was just hacked also...I logged in a few nights ago and noticed my account was missing some points (about 200k) but didnt see any transactions listed in account history so i thought maybe it was a glitch, logged in next day and couldnt login anymore...couldnt request password, etc. so i called hhonors help line they just said to email hilton loss prevention because my account was closed...Got an automated response saying in 7-10 days they will review my request...
What a pain in the ......Hilton obviously has some security issues... I'm glad i wasnt trying to book a vacation right now, i'd be screwed probably....I'm hoping I get all my points and account back...The person on the hhonors help line didnt sound suprised at all, wondering if this is happening a ton |
Originally Posted by ChinaShrek
(Post 23616124)
Why all the hate for the simple 4-digit pin? It's so much easier to remember one number for everything (including my ATM card) then all of these passwords that require lower case letters, capital letters, numbers, etc. I'll be happy when they can do retinal or finger print scans through my laptop.
Because a four digit PIN number can be cracked in seconds. There are only 10000 combinations. And passwords are not difficult if you do them right. It doesn't have to be a *random* combination, it can have meaning to you... |
Originally Posted by agehall
(Post 23616175)
Because a four digit PIN number can be cracked in seconds. There are only 10000 combinations.
I've seen other websites (certainly bank sites) where any attempt to log in incorrectly more than a few times resulted in a temporary lock-out. And that was even with passwords, not just 4-digit PINs. But does the Hilton HHonors site have this security feature? Or does it let someone (or some "bot") endlessly try every PIN possible? ... However: Even if the system locks you out after trying to log into one account several times with the wrong PIN, it may not lock you out if you try to log into zillions of different accounts (one time each). And statistically, if you try 10000 accounts with the same 4-digit PIN, one of them is likely to have that 4-digit PIN. So perhaps that's how the hack is working, not by guessing PINs, but by picking a PIN and guessing the account numbers that use that PIN? |
And there 20 or so PIN numbers that are often picked by customers. You search these only, and you'd get 10-20% success.
(Hint, choosing 1111 for a pin is not a good idea!) |
Also hacked
My account has just been hacked also.
734085 points taken for cameras - not impressed. :mad: |
Mine too!
somebody just used 81K for headphones!
|
Originally Posted by Jaimito Cartero
(Post 23617681)
And there 20 or so PIN numbers that are often picked by customers. You search these only, and you'd get 10-20% success.
(Hint, choosing 1111 for a pin is not a good idea!) |
All times are GMT -6. The time now is 11:53 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.