Consolidated "Hilton Honors Account Hacked" thread
 

After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.

In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.

This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.

SCARY.

An email to Hilton's Privacy Department ([email protected]) has gone unanswered.

Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.

Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.

Thank you anative for starting this thread.

+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.

Ooops, misread "PIN" for "password"

FYI: Also possible to login with username and 4-digit PIN.

Good point.

I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies.

I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.

This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data.

https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf

I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.

Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?

I can add a card, but the old one still cannot be deleted.

I managed to delete an active AMEX card and leave an unactive Visa card on file. I tried to delete this unactive card, but as mentioned above, the site would not let me. Doesn't really matter as the Visa card account has been closed due to some fraudulent activity some months ago (not related to Hilton.)

In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.

Did the "website person" tell you how many attempts in a certain period of time you get before they block the account?

That doesn't mean they aren't encrypting the passwords.

This is what bamboola and I have tried to do, but the "delete" function won't work.

Here's a work-around that I tried last night. I set the expiration date to April 2014 and got an error message. I then set the expiration date to May 2014 and managed to delete one of the two credit cards. I presume that after May 2014, I will be able to delete the other credit card.

I too called the Diamond desk to try and getting my credit card removed from my profile. The person I spoke with tried and tried from her end, putting me on hold a number of times to get help but also was never able to remove it. I'll try the trick of changing the expiration date next.

I really wish Hilton would take this issue more serious and fix this security hole.

It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".

It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.

I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?

I'm bumping up this thread in the hope that our HHonorsRepresentative might be able to at the least pass our concerns along. I'll also PM Anthony with a link to this thread.

And since I've resurrected this issue, just wanted to add what my concern is -

I'm not worried about my credit card info because that's the one area where I'm protected. If there's ever a fraudulent charge on my AMEX or MC I'm not responsible for it, the credit card company will cover it.

However, what would happen if someone got into my account and took my points? I have a considerable balance and consider it as I do my other assets. But what protection would HH provide if someone was able to either transfer the points out of my account, or use them themselves for an award reservation?

That truly is the biggest concern. Someone taking all your points.

No one can get your CC info from the account since it's hashed when you put it in (not hashed per se but turned into ***...hashing is a whole other deal and really how you should store passwords...salted hashes, slow hash, etc). You can only see the last 4 digits. You can see the expiration too which isn't great either.

It doesn't seem that Hilton cares. I'm still getting these emails. One guy who is Hilton Gold, has over 600,000 points. I have a lot of his information from these emails. Maybe I could call Hilton and book myself a nice week somewhere with his points?

I'm on it! Thanks everyone. Stay tuned.

Hilton HHonors account hacked--should account number be changed?
 

My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?

Don't think you need to change the account number but definitely change you user name and password to get into the account.

It can't hurt to change the number, but depending on what you know of the circumstances of the hack, it might be more or less worth the time and hassle for you.

Huh???

When I got the Hilton HHonors website I see it ask for:
In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!

So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).

But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.

(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)

For a similar experience see this thread:
http://www.flyertalk.com/forum/hilto...la-lumpur.html

And on that thread you'll see I linked this thread, which unfortunately failed to prompt Hilton to rectify this situation:
http://www.flyertalk.com/forum/hilto...-security.html

When is Hilton going to address their website security issues? How many people need to have their accounts hacked before something's done!

(Your HH account number is easily "stolen": it appears on folios left in front of doors, it's on emails sent to easily hacked yahoo accounts, etc. And with your account number in hand all a hacker then needs to do is figure out a mere 4 digit pin number.)

Excuse me, been so long since I used a pin to log into Hilton I forgot you could.

United still allows sign in with FF# and PIN. Wish they would get rid of the PIN.

My Hilton HHonors account was also hacked on 9/29/14, and over 200,000 points were used for a merchandise purchase. I contacted guest services and the points were quickly returned to my account. Unfortunately, they also said that the account information should stay the same, because that would help the fraud protection department track down the culprit. Against my own best judgement, I agreed. Two days later, another 230,000 points are missing from my account. Guess it's time to spend another hour on the phone with guest services!

Mine HHonors account was hacked yesterday, they stole 84,000 points to buy merchandise. It's taking me a long time to get this fixed.

Anyone with an HHonors account, change your PIN asap!!!

Looks like someone from Russia did it.

Account temporarily closed by HHonors
 

Yesterday I could no longer log in to my account with my account number and newly changed PIN. Today I called and I was told that: 1. HHonors had temporarily closed my account to prevent further fraud; 2. The stolen points (473,000) had still not been returned; 3. I should email the HHW loss prevention dept and find out if they were going to reopen the account or open a new account and transfer all the information.

Reading the last few posts it is clear that major HHonors account hacking is in progress.

Why all the hate for the simple 4-digit pin? It's so much easier to remember one number for everything (including my ATM card) then all of these passwords that require lower case letters, capital letters, numbers, etc. I'll be happy when they can do retinal or finger print scans through my laptop.

same problem
 

My account was just hacked also...I logged in a few nights ago and noticed my account was missing some points (about 200k) but didnt see any transactions listed in account history so i thought maybe it was a glitch, logged in next day and couldnt login anymore...couldnt request password, etc. so i called hhonors help line they just said to email hilton loss prevention because my account was closed...Got an automated response saying in 7-10 days they will review my request...

What a pain in the ......Hilton obviously has some security issues...

I'm glad i wasnt trying to book a vacation right now, i'd be screwed probably....I'm hoping I get all my points and account back...The person on the hhonors help line didnt sound suprised at all, wondering if this is happening a ton

Because a four digit PIN number can be cracked in seconds. There are only 10000 combinations.

And passwords are not difficult if you do them right. It doesn't have to be a *random* combination, it can have meaning to you...

No, it can't be cracked in seconds if the system doesn't allow you to try to log in with the wrong PIN more than a few times in a row, before locking the account for some amount of time (24 hours, for example).

I've seen other websites (certainly bank sites) where any attempt to log in incorrectly more than a few times resulted in a temporary lock-out. And that was even with passwords, not just 4-digit PINs.

But does the Hilton HHonors site have this security feature? Or does it let someone (or some "bot") endlessly try every PIN possible?


... However: Even if the system locks you out after trying to log into one account several times with the wrong PIN, it may not lock you out if you try to log into zillions of different accounts (one time each). And statistically, if you try 10000 accounts with the same 4-digit PIN, one of them is likely to have that 4-digit PIN. So perhaps that's how the hack is working, not by guessing PINs, but by picking a PIN and guessing the account numbers that use that PIN?

And there 20 or so PIN numbers that are often picked by customers. You search these only, and you'd get 10-20% success.

(Hint, choosing 1111 for a pin is not a good idea!)

Also hacked
 

My account has just been hacked also.

734085 points taken for cameras - not impressed. :mad:

Mine too!
 

somebody just used 81K for headphones!

1234 isn't any better.