FlyerTalk Forums

FlyerTalk Forums (https://www.flyertalk.com/forum/index.php)
-   Hilton | Hilton Honors (https://www.flyertalk.com/forum/hilton-hilton-honors-417/)
-   -   Consolidated "Hilton Honors Account Hacked" thread (https://www.flyertalk.com/forum/hilton-hilton-honors/1570071-consolidated-hilton-honors-account-hacked-thread.html)

Flyiboy Jan 17, 2015 5:14 pm

What concerns me is when I ask the rep if this happens alot.. She hestitated and states.. IT happens more then you know.. Perhaps I should now reconsider my stay at the Conrad in Hong Kong..

Miesque Jan 18, 2015 9:40 am

Just a comment on ways people can get your account info. This morning under my door at the Doubletree Ocean Point Miami Beach North was not only a copy of my bill, but also for another Diamond staying a floor lower, a Mr. Augusto S and while his address is not on the bill, his Diamond number is.

gqZJzU4vusf0Z2,$d7 Jan 18, 2015 10:29 am

> It is not a roque hotspot, it is the way Hilton is doing business now.

Correct.

The fact that Hilton WiFi login even asks for all the info required to seize control of an account ... is simply nuts. Somebody does not understand OPSEC.

Whoever Hilton is paying for I/T security advice does not understand the fundamentals of their job. They should be name'd, shame'd and fire'd. But I do not wish to be unreasonable. I am willing to compromise: They should be fired. The REDACTED BY MOD amateurs.

JohnMacWW Jan 18, 2015 4:19 pm

Hello, hello?
Conrad Hilton are you there?
There appears to be a some significant breaches of your ability to preserve the privacy of your customer's most important data.
Are you there? Are you going to respond?

eknock007 Jan 18, 2015 8:18 pm

I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?

sethb Jan 19, 2015 9:19 am


Originally Posted by eknock007 (Post 24191758)
I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?

Based on what we've seen here, Hilton likely will return the points. I don't know how long it takes; that varies.

eknock007 Jan 19, 2015 10:02 pm


Originally Posted by eknock007 (Post 24191758)
I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?

UPDATE: I got an email today from HHonors Loss Prevention informing me that my points had been restored. They cancel my old account number and created a new for me. Apparently they were able to cancel the GC order in time. Good to see that Hilton is on top of this when people end up of becoming a victim.

JohnMacWW Jan 20, 2015 10:44 am


Originally Posted by eknock007 (Post 24198523)
UPDATE: I got an email today from HHonors Loss Prevention informing me that my points had been restored. They cancel my old account number and created a new for me. Apparently they were able to cancel the GC order in time. Good to see that Hilton is on top of this when people end up of becoming a victim.

Can you list the timeline you endured? (I.e. how many days between you alerting Hilton and having a new HH Account with all points restored).

Was your HH account suspended for an intermim period or did they give you a new one immediately? When they gave you a new HH account, how quickly did the then-remaining point balance in your old account get transfered and thus be usable?

Did they just transfer all of your personal data and preferences to the new account or did you have to go in and enter some of it (like CC info or preferences)?

eknock007 Jan 20, 2015 1:33 pm


Originally Posted by JohnMacWW (Post 24201285)
Can you list the timeline you endured? (I.e. how many days between you alerting Hilton and having a new HH Account with all points restored).

Was your HH account suspended for an intermim period or did they give you a new one immediately? When they gave you a new HH account, how quickly did the then-remaining point balance in your old account get transfered and thus be usable?

Did they just transfer all of your personal data and preferences to the new account or did you have to go in and enter some of it (like CC info or preferences)?

Here is the timeline:

1/18 1:30pm: Email from Hilton indicating I had changed my address. Immediately called Hilton CS to report the incident.

1/18 4:36pm: Email from Hilton with the order confirmation. Called Hilton CS around 6pm to report that 225.0000 points had been stolen and I was given a case number.

1/18 6:17pm. I forwarded the order confirmation email to Hilton Loss Prevention. Got a email acknowledgement right away from Hilton.

1/19 10:50am: received two emails from Hilton Loss Prevention. One indicating I had a new PIN and the other indicating that the order had been canceled and that my points had been restored. Also that a new account number had been created and the old one closed.

The new account seems to have all of my info from my previous account with the exception of stored credit cards. Those I have to add. The whole transfer of info and points happen rather quickly. I had gone into my old account early on the 19th to see if there was any change and everything was still the same. As soon as I got the email from Loss Prevention that I had a new account, I logged into the new account and saw that the original points total had been restored along with most of my personal info. I have not check everything but what matter the most was the points. I tried to log-in to my old account but the log-in was no longer valid.

IMH Jan 20, 2015 1:57 pm

Thanks for the comprehensive report. It seems that the Hilton people responsible for resolving these problems are pretty good. Shame the company still hasn't tightened things up to prevent the problems happening in the first place.


Originally Posted by eknock007 (Post 24202377)
The new account seems to have all of my info from my previous account with the exception of stored credit cards. Those I have to add.

I'm probably not alone in thinking that it's better not to store credit card information in your HH profile right now.

eknock007 Jan 20, 2015 3:53 pm


Originally Posted by IMH (Post 24202559)
It seems that the Hilton people responsible for resolving these problems are pretty good.

Yeah I was kind off surprise that it took less than one day to recover the points. I was anticipating weeks of agonizing wait time for any action to occur as far as remedying the situation. The email from Loss Prevention mention that it would take 7-10 business days to review and respond to my issue.

AKCuisine Jan 20, 2015 6:39 pm


Originally Posted by IMH (Post 24202559)

I'm probably not alone in thinking that it's better not to store credit card information in your HH profile right now.

Keep checking back on your credit card information to make sure it stays gone.

I thought deleted my card details after a lengthy process - the system would say my profile was updated and the card details vanished. But the next time I logged in the card information was back again.

So taking trip from others on the forum, I used the app instead of the laptop to delete card information. It seemed to work.

But then after I had a stay at a property I found the card I'd used at that particular hotel was back in my profile. It just kept coming back ...

Now what I've done is added a card number for an account that was recently closed. After my hotel stay next week I'll check to see if that old card is still on file or whether my HHonors card number details have (again) replaced it.

gqZJzU4vusf0Z2,$d7 Jan 21, 2015 1:37 pm

> I thought deleted my card details after a lengthy process - the system
> would say my profile was updated and the card details vanished. But the
> next time I logged in the card information was back again.

Ditto. I'm having the same problem with phone numbers.

gqZJzU4vusf0Z2,$d7 Jan 21, 2015 1:46 pm

Protect Against Rogue HHONORS Access Points ...
 
This is a soln that will (only) mitigate the rogue HHONORS access point attack.

Upon check-in, I ask the Front Desk for the WiFi "coupon/code" for the day/week. I use it to login to the WiFi ... without ever entering my HHonors account nbr, PIN and room number.

If I have happened to connect to a rogue HHONORS access point, all they get is the coupon/code for the day/week.

submonte Jan 25, 2015 7:17 am

I havenīt been following these thread but I tell you what nervs me:

I can no more automatically sign into my HHonors account, which I usually did on my Envy by HP Simple Pass and fingerprint sensor, have to state "I am not robot" each time I want to sign in, and be able to read and enter those hieroglyphs appearing to show the HHonors system I am not a robot.

My statement: That sux!


All times are GMT -6. The time now is 6:49 am.


This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.