Consolidated "Hilton Honors Account Hacked" thread
Mar 23, 2015, 9:40 am
#241
Join Date: Jul 2007
Location: Berlin
Programs: BA Gold; Accor Plat; IHG Diamond-Amb; Meliá & HH & Marriott Gold
Posts: 5,450
Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here.
The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward.
EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO).
Other media are picking the story up, e.g. arstechnica here.
The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward.
EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO).
Last edited by IMH; Mar 23, 2015 at 1:49 pm Reason: see text
Mar 23, 2015, 2:38 pm
#242
FlyerTalk Evangelist & Ambassador: China
Join Date: Aug 2005
Location: DEN
Programs: DL DM/MM, UA 1K, AA Exp, HH Dia, WOH Glob, IHG Plat, Marriott Gold, NA EE, Hertz PC
Posts: 17,421
Today Krebs is reporting on the breach.
Other media are picking the story up, e.g. arstechnica here.
The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward.
EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO).
Other media are picking the story up, e.g. arstechnica here.
The reports suggest that the vulnerability has been fixed, or that Hilton believes it has. In which case I can't see any reason why Hilton should not (finally) be more forthcoming about what has happened and how security will be addressed going forward.
EDITED (four hours later): A post in a different thread prompted me to read the Krebs report again and with more care. It would appear only to explain some of the recent backtracking, not the earlier breach which is the main focus of this thread. Apologies for that (but it's still interesting and disappointing in its own right IMO).
http://loyaltylobby.com/2015/03/23/h...e-yours-again/
Time to change your PW again.
Mar 23, 2015, 5:06 pm
#243
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 228
Posted on Loyalty Lobby too. Nice job Hilton.
http://loyaltylobby.com/2015/03/23/h...e-yours-again/
Time to change your PW again.
http://loyaltylobby.com/2015/03/23/h...e-yours-again/
Time to change your PW again.
Apr 13, 2015, 1:46 pm
#244
Join Date: Apr 2005
Posts: 522
Hilton: When are you going to disable access via the 4 digit pin?
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.
SCARY.
An email to Hilton's Privacy Department ([email protected]) has gone unanswered.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.
SCARY.
An email to Hilton's Privacy Department ([email protected]) has gone unanswered.
And yet, Hilton has still not addressed this problem.
I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.
But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).
This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.
Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?
Apr 13, 2015, 3:52 pm
#245
Join Date: Nov 2011
Location: BSL
Posts: 55
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem.
I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.
But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).
This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.
Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?
And yet, Hilton has still not addressed this problem.
I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.
But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).
This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.
Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?
Apr 16, 2015, 4:53 pm
#246
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
In four days the above post will be ONE YEARS OLD.
And yet, Hilton has still not addressed this problem.
I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.
But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).
This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.
Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?
And yet, Hilton has still not addressed this problem.
I created a new password as instructed by Hilton, I received a 1,000 bonus points for doing so.
But as I reported in the Log In thread, as of today, I can still access my online account with my old 4 digit pin (either with my username or with my HH account number).
This was the exact issue reported by OP anative on April 17, 2014, quoted above, and his alert to Hilton on this security vulnerability preceeded the major hacking attacks.
Thanks for the 1,000 points Hilton, but when are you going to fix your website? When are you going to disable access via the 4 digit pin?
Apr 30, 2015, 12:34 am
#247
Join Date: Apr 2005
Posts: 522
Login with PIN has finally been disabled
Woohoo.
Just now saw that I couldn't log in with my PIN. And there was no CAPTCHA.
And after logging in with my password I saw this on my Account Summary page:
Just now saw that I couldn't log in with my PIN. And there was no CAPTCHA.
And after logging in with my password I saw this on my Account Summary page:
HILTON HHONORS ACCOUNT PASSWORDS
As of April 29, 2015, all members will be required to update their PIN, or current password, to a new & secure password. Update your password now by visiting the Personal Information section of your account profile. If you have already updated your password on or after March 10, 2015, no further action is required.
As of April 29, 2015, all members will be required to update their PIN, or current password, to a new & secure password. Update your password now by visiting the Personal Information section of your account profile. If you have already updated your password on or after March 10, 2015, no further action is required.
May 2, 2015, 2:50 pm
#248
Join Date: Apr 2012
Programs: UA 1K, Hilton Diamond
Posts: 113
Don't everyone woohoo to much. The pin still lives in their system they just removed it from the website. I just used it to login to the Conrad app. The app wouldn't let me login with username/account number and password. I did the account number and pin and it let me right in. Needs to be brought to Hilton's attention.
May 9, 2015, 6:27 am
#249
Suspended
Join Date: Oct 2009
Location: Kan@da
Programs: Anything with sweet spots
Posts: 1,790
I am now getting fraudulent calls from telemarketers/scammers due to this data breach. I believe I'm entitled to some compensation, such as free nights, due to all this inconvenience and privacy breach. Anyone got some ?
May 10, 2015, 8:10 am
#250
Join Date: Jul 2007
Location: Berlin
Programs: BA Gold; Accor Plat; IHG Diamond-Amb; Meliá & HH & Marriott Gold
Posts: 5,450
May 11, 2015, 1:28 pm
#251
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
I don't believe you are. How do you know the telescammers got data from Hilton, anyway?
May 12, 2015, 2:28 am
#252
Suspended
Join Date: Oct 2009
Location: Kan@da
Programs: Anything with sweet spots
Posts: 1,790
May 12, 2015, 8:48 am
#253
FlyerTalk Evangelist
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others
Posts: 12,159
Maybe. I've been offered free Hilton nights on telescams that went to a phone number that isn't in my Hilton profile.
May 12, 2015, 9:01 am
#254
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Just like with email scams, the more people they hit the higher the odds of getting someone to bite. Data mining for specific numbers/email addresses allow them to target specific audiences. They are getting better with their presentations and I can see many people falling prey. I especially like the emails from the Director of the FBI approving my dealings with the Bank of Nigeria!
May 17, 2015, 6:54 am
#255
Join Date: Apr 2010
Posts: 309
Article here mentions Hilton accounts being sold for just 15 USD.
http://www.dailymail.co.uk/news/arti...er-s-List.html
http://www.dailymail.co.uk/news/arti...er-s-List.html