Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton Honors Website Security - Accounts hacked Oct 2014

Hilton Honors Website Security - Accounts hacked Oct 2014

Old Apr 28, 14, 4:58 am
  #16  
Original Poster
 
Join Date: Dec 2000
Location: Orlando, FL, USA (MCO)
Programs: Hilton-Diamond, Virgin-Gold, BA-Silver
Posts: 21
I too called the Diamond desk to try and getting my credit card removed from my profile. The person I spoke with tried and tried from her end, putting me on hold a number of times to get help but also was never able to remove it. I'll try the trick of changing the expiration date next.

I really wish Hilton would take this issue more serious and fix this security hole.
anative is offline  
Old May 25, 14, 1:34 am
  #17  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,617
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".

It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.

I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
stimpy is offline  
Old Jul 8, 14, 5:06 pm
  #18  
JBD
 
Join Date: Apr 2005
Posts: 521
I'm bumping up this thread in the hope that our HHonorsRepresentative might be able to at the least pass our concerns along. I'll also PM Anthony with a link to this thread.
JBD is offline  
Old Jul 8, 14, 5:25 pm
  #19  
JBD
 
Join Date: Apr 2005
Posts: 521
And since I've resurrected this issue, just wanted to add what my concern is -

I'm not worried about my credit card info because that's the one area where I'm protected. If there's ever a fraudulent charge on my AMEX or MC I'm not responsible for it, the credit card company will cover it.

However, what would happen if someone got into my account and took my points? I have a considerable balance and consider it as I do my other assets. But what protection would HH provide if someone was able to either transfer the points out of my account, or use them themselves for an award reservation?
JBD is offline  
Old Jul 8, 14, 6:11 pm
  #20  
 
Join Date: Nov 2013
Programs: HH Diamond, IHG Spire, Marriott Silver, WN CP
Posts: 395
That truly is the biggest concern. Someone taking all your points.

No one can get your CC info from the account since it's hashed when you put it in (not hashed per se but turned into ***...hashing is a whole other deal and really how you should store passwords...salted hashes, slow hash, etc). You can only see the last 4 digits. You can see the expiration too which isn't great either.

Last edited by HansGruber; Jul 8, 14 at 6:15 pm Reason: Clarified hashing
HansGruber is offline  
Old Jul 9, 14, 4:14 am
  #21  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,617
Originally Posted by stimpy View Post
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".

It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.

I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
It doesn't seem that Hilton cares. I'm still getting these emails. One guy who is Hilton Gold, has over 600,000 points. I have a lot of his information from these emails. Maybe I could call Hilton and book myself a nice week somewhere with his points?
stimpy is offline  
Old Jul 9, 14, 1:09 pm
  #22  
Company Representative - Honors by Hilton
 
Join Date: Aug 2009
Programs: Hilton Honors
Posts: 1,214
Originally Posted by JBD View Post
I'm bumping up this thread in the hope that our HHonorsRepresentative might be able to at the least pass our concerns along. I'll also PM Anthony with a link to this thread.
I'm on it! Thanks everyone. Stay tuned.
Hilton Honors Ambassador is offline  
Old Sep 30, 14, 5:47 pm
  #23  
 
Join Date: Dec 2002
Location: SMF
Programs: AA EXP 4MM
Posts: 759
Hilton HHonors account hacked--should account number be changed?

My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
card1953 is offline  
Old Sep 30, 14, 9:53 pm
  #24  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Posts: 10,582
Originally Posted by card1953 View Post
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
Don't think you need to change the account number but definitely change you user name and password to get into the account.
Baze is offline  
Old Sep 30, 14, 10:07 pm
  #25  
A FlyerTalk Posting Legend
 
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 87,154
It can't hurt to change the number, but depending on what you know of the circumstances of the hack, it might be more or less worth the time and hassle for you.
MSPeconomist is offline  
Old Oct 1, 14, 1:56 pm
  #26  
FlyerTalk Evangelist
 
Join Date: Jan 2005
Location: home = LAX
Posts: 24,410
Originally Posted by Baze View Post
Don't think you need to change the account number but definitely change you user name and password to get into the account.
Huh???

When I got the Hilton HHonors website I see it ask for:
Username or HHonors #
Password or PIN
In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!

So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).

But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.

(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
sdsearch is offline  
Old Oct 1, 14, 2:48 pm
  #27  
JBD
 
Join Date: Apr 2005
Posts: 521
Originally Posted by card1953 View Post
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
For a similar experience see this thread:
http://www.flyertalk.com/forum/hilto...la-lumpur.html

And on that thread you'll see I linked this thread, which unfortunately failed to prompt Hilton to rectify this situation:
http://www.flyertalk.com/forum/hilto...-security.html

When is Hilton going to address their website security issues? How many people need to have their accounts hacked before something's done!

(Your HH account number is easily "stolen": it appears on folios left in front of doors, it's on emails sent to easily hacked yahoo accounts, etc. And with your account number in hand all a hacker then needs to do is figure out a mere 4 digit pin number.)
JBD is offline  
Old Oct 1, 14, 8:11 pm
  #28  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Posts: 10,582
Originally Posted by sdsearch View Post
Huh???

When I got the Hilton HHonors website I see it ask for:
Username or HHonors #
Password or PIN
In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!

So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).

But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.

(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
Excuse me, been so long since I used a pin to log into Hilton I forgot you could.
Baze is offline  
Old Oct 1, 14, 8:40 pm
  #29  
Marriott Contributor Badge
 
Join Date: Jan 2009
Location: BTR
Programs: AA LTPlat 2.3MM; Marriott Titanium (LTP); Hilton Gold; Vistana 5-Star Elite; National Car Exec Elite
Posts: 6,119
Originally Posted by sdsearch View Post
Huh???

. . .

But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.

(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
United still allows sign in with FF# and PIN. Wish they would get rid of the PIN.
controller1 is offline  
Old Oct 2, 14, 12:05 am
  #30  
 
Join Date: Jul 2009
Posts: 1
My Hilton HHonors account was also hacked on 9/29/14, and over 200,000 points were used for a merchandise purchase. I contacted guest services and the points were quickly returned to my account. Unfortunately, they also said that the account information should stay the same, because that would help the fraud protection department track down the culprit. Against my own best judgement, I agreed. Two days later, another 230,000 points are missing from my account. Guess it's time to spend another hour on the phone with guest services!
fridayskm is offline  

Thread Tools
Search this Thread
Search Engine: