Consolidated "Hilton Honors Account Hacked" thread
Jan 10, 2015, 3:05 am
#136
FlyerTalk Evangelist & Ambassador: China
Join Date: Aug 2005
Location: DEN
Programs: DL DM/MM, UA 1K, AA Exp, HH Dia, WOH Glob, IHG Plat, Marriott Gold, NA EE, Hertz PC
Posts: 17,419
Just a heads up to everyone, my account was hacked.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
Jan 11, 2015, 2:37 pm
#137
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
It doesn't matter. All you can do is add a password, but the PIN login stays functional. So even if you start using the password yourself, the still-active PIN remains the weak link.
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
But I wish Hilton would discuss this, explain what is going on. Are they being targeted? Why? Since they appear to be making everyone whole, I think they seem to be responding correctly to fix hacks, but some guidance would be nice.
Jan 12, 2015, 9:11 am
#138
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
Use of HH account info to log into wifi is a problem
It just occured to me (as I was logging in) that Hilton has a huge vulnerability in its security of HH account access and security by the way most Hilton family hotels have Gold and Diamond members enter their HH Account # and PIN (and room number) in order to get the free WIFI promised to G/D members.
This has to mean that the HH access information for its highest using members is either being stored by all the local ISP's or is being passed back and forth by local ISP's to/from some master Hilton data base.
Moreover, there is not even any CAPTCHA protections or anything. In fact there are not even and mechanisms for stopping access attempts after a certain number of tries. I know this because after I changed my HH PIN I forgot that I and tried about 15 times to log into WIFI acount a few months ago before I realized I was entering my old PIN and not my new PIN.
There are all sorts of ways this is a vulnerability that needs to be fixed.
This has to mean that the HH access information for its highest using members is either being stored by all the local ISP's or is being passed back and forth by local ISP's to/from some master Hilton data base.
Moreover, there is not even any CAPTCHA protections or anything. In fact there are not even and mechanisms for stopping access attempts after a certain number of tries. I know this because after I changed my HH PIN I forgot that I and tried about 15 times to log into WIFI acount a few months ago before I realized I was entering my old PIN and not my new PIN.
There are all sorts of ways this is a vulnerability that needs to be fixed.
Jan 12, 2015, 10:55 am
#139
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,932
It just occured to me (as I was logging in) that Hilton has a huge vulnerability in its security of HH account access and security by the way most Hilton family hotels have Gold and Diamond members enter their HH Account # and PIN (and room number) in order to get the free WIFI promised to G/D members.
Jan 12, 2015, 11:05 am
#140
Join Date: Oct 2013
Location: Copenhagen, Denmark
Programs: Mainly Hilton Hhonors, SAS Eurobonus
Posts: 1,981
In the Hiltons in Europe that I have experience with, you are only asked to enter your name and room number.
I have never been asked to enter Hhonors number or pin code.
I have never been asked to enter Hhonors number or pin code.
Jan 13, 2015, 1:38 am
#141
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
That sounds like a ridiculous way to do it. The front desk should know who is what status by room number. At Marriott, the WiFi only requires your first and last name and room number, they automatically look up your status on your reservation from that and give you the internet free based on that, without you ever having to provide your Marriott Rewards acct number or password.
Jan 13, 2015, 4:51 pm
#142
Join Date: Nov 2002
Location: Boston, MA
Programs: AA PlatPro (LTG), Marriott Titanium (LTG), HH Diamond
Posts: 254
I pointed out the 4-digit PIN issue back in 2013 and this is the useless response I got.
United Airlines is another company that "replaced" 4-digit PINs with passwords, but don't provide users the ability to disable PIN login.
IHG is even worse, they support a 4-digit PIN only.
Dear Mr. Eng,
Thank you for your inquiry regarding account PIN numbers. We appreciate you taking the time to contact us.
I apologize but HHonors does not have an option to disable PIN based logins however you may change the PIN as often as you like.
If there is anything else we can assist you with, please do not hesitate to contact us. For immediate assistance, please click on the link below for the contact number of the Hilton Worldwide Service Center location nearest you.
http://hhonors3.hilton.com/en/support/index.html.
Best regards,
John H.
Diamond Coordinator
Customer Care Email Department
Hilton Reservations and Customer Care
www.hiltonworldwide.com
Thank you for your inquiry regarding account PIN numbers. We appreciate you taking the time to contact us.
I apologize but HHonors does not have an option to disable PIN based logins however you may change the PIN as often as you like.
If there is anything else we can assist you with, please do not hesitate to contact us. For immediate assistance, please click on the link below for the contact number of the Hilton Worldwide Service Center location nearest you.
http://hhonors3.hilton.com/en/support/index.html.
Best regards,
John H.
Diamond Coordinator
Customer Care Email Department
Hilton Reservations and Customer Care
www.hiltonworldwide.com
IHG is even worse, they support a 4-digit PIN only.
Jan 13, 2015, 8:12 pm
#143
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
It just occured to me (as I was logging in) that Hilton has a huge vulnerability in its security of HH account access and security by the way most Hilton family hotels have Gold and Diamond members enter their HH Account # and PIN (and room number) in order to get the free WIFI promised to G/D members.
This has to mean that the HH access information for its highest using members is either being stored by all the local ISP's or is being passed back and forth by local ISP's to/from some master Hilton data base.
Moreover, there is not even any CAPTCHA protections or anything. In fact there are not even and mechanisms for stopping access attempts after a certain number of tries. I know this because after I changed my HH PIN I forgot that I and tried about 15 times to log into WIFI acount a few months ago before I realized I was entering my old PIN and not my new PIN.
There are all sorts of ways this is a vulnerability that needs to be fixed.
This has to mean that the HH access information for its highest using members is either being stored by all the local ISP's or is being passed back and forth by local ISP's to/from some master Hilton data base.
Moreover, there is not even any CAPTCHA protections or anything. In fact there are not even and mechanisms for stopping access attempts after a certain number of tries. I know this because after I changed my HH PIN I forgot that I and tried about 15 times to log into WIFI acount a few months ago before I realized I was entering my old PIN and not my new PIN.
There are all sorts of ways this is a vulnerability that needs to be fixed.
Normal wifi signin is Surname+room_number, or a voucher code
Jan 13, 2015, 8:22 pm
#144
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
If wifi signin page ever asks for HH Number AND pin do not continue. Hotels can not valdate your HH pin so would not ask. Any signup screen asking will be a rogue hotspot masquerading as Hotel wifi in attempt to steal your account ! I would not even be happy entering HH MemberNumber.
Normal wifi signin is Surname+room_number, or a voucher code
Normal wifi signin is Surname+room_number, or a voucher code
Jan 13, 2015, 9:02 pm
#145
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
If wifi signin page ever asks for HH Number AND pin do not continue. Hotels can not valdate your HH pin so would not ask. Any signup screen asking will be a rogue hotspot masquerading as Hotel wifi in attempt to steal your account ! I would not even be happy entering HH MemberNumber.
Normal wifi signin is Surname+room_number, or a voucher code
Normal wifi signin is Surname+room_number, or a voucher code
Jan 15, 2015, 10:16 am
#146
Join Date: Nov 2013
Posts: 134
The funniest part about the whole "PINs are not secure" discussion is that this is probably just the most glaringly obvious problem. Think about it this way: they have demonstrated they do not value security over convenience. Fine. Let's also consider that the PIN you enter is checked against a database. How do you think that database is secured by an IT department such as this one? Do you have confidence they properly salt and hash (=scramble) your personal information or would you guess that it's all right there and if someone happened to find the database file it would be trivial to read it?
The Hilton website is a lot scarier than you might already think.
The Hilton website is a lot scarier than you might already think.
Jan 15, 2015, 4:23 pm
#148
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
If all of those individual hotel wifi websites are taking in everyone's HH account number and PIN and doing something with it to verify that its the correct PIN for that HH# then we go from being scary to being horrifying.
Jan 17, 2015, 4:40 pm
#149
Join Date: Dec 2005
Location: Göteborg Sweden
Programs: SPG GOLD / BA GOLD/Club Carlson Gold/AMEX Plat.
Posts: 1,043
Just a heads up to everyone, my account was hacked.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
Called Hilton and they had to start a case file.. Let's see what happens. I lost GOLD as well... At least I'm a patient man
Jan 17, 2015, 5:05 pm
#150
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
I just checked my account and guess what.. Yup.. The same thing. 80,000 for a hotel in MCO. I live in Sweden. They had my name and account #. They change the email address to a yopmail . These emails are for 1 time only deal. They changed my address to a intersection. They used a different cc# ,thank God.
Called Hilton and they had to start a case file.. Let's see what happens. I lost GOLD as well... At least I'm a patient man
Called Hilton and they had to start a case file.. Let's see what happens. I lost GOLD as well... At least I'm a patient man
But, even with the Captcha tech they have added for log ins still leaves other issues. Like my point about they allow all hotels to acquire HH# and PINs and compare them for WIFI access. Sure maybe so far they make everything better when somebody hacks, but it is a hassle that can be fixed. But everyone seems so acceptive about this. You would think every Hilton Honor member in FT would be commenting and mad about this.