mpaterso

Mine HHonors account was hacked yesterday, they stole 84,000 points to buy merchandise. It's taking me a long time to get this fixed.

Anyone with an HHonors account, change your PIN asap!!!

Looks like someone from Russia did it.

card1953

Yesterday I could no longer log in to my account with my account number and newly changed PIN. Today I called and I was told that: 1. HHonors had temporarily closed my account to prevent further fraud; 2. The stolen points (473,000) had still not been returned; 3. I should email the HHW loss prevention dept and find out if they were going to reopen the account or open a new account and transfer all the information.

Reading the last few posts it is clear that major HHonors account hacking is in progress.

ChinaShrek

Why all the hate for the simple 4-digit pin? It's so much easier to remember one number for everything (including my ATM card) then all of these passwords that require lower case letters, capital letters, numbers, etc. I'll be happy when they can do retinal or finger print scans through my laptop.

ZackVLion

My account was just hacked also...I logged in a few nights ago and noticed my account was missing some points (about 200k) but didnt see any transactions listed in account history so i thought maybe it was a glitch, logged in next day and couldnt login anymore...couldnt request password, etc. so i called hhonors help line they just said to email hilton loss prevention because my account was closed...Got an automated response saying in 7-10 days they will review my request...

What a pain in the ......Hilton obviously has some security issues...

I'm glad i wasnt trying to book a vacation right now, i'd be screwed probably....I'm hoping I get all my points and account back...The person on the hhonors help line didnt sound suprised at all, wondering if this is happening a ton

agehall

Because a four digit PIN number can be cracked in seconds. There are only 10000 combinations.

And passwords are not difficult if you do them right. It doesn't have to be a *random* combination, it can have meaning to you...

sdsearch

No, it can't be cracked in seconds if the system doesn't allow you to try to log in with the wrong PIN more than a few times in a row, before locking the account for some amount of time (24 hours, for example).

I've seen other websites (certainly bank sites) where any attempt to log in incorrectly more than a few times resulted in a temporary lock-out. And that was even with passwords, not just 4-digit PINs.

But does the Hilton HHonors site have this security feature? Or does it let someone (or some "bot") endlessly try every PIN possible?


... However: Even if the system locks you out after trying to log into one account several times with the wrong PIN, it may not lock you out if you try to log into zillions of different accounts (one time each). And statistically, if you try 10000 accounts with the same 4-digit PIN, one of them is likely to have that 4-digit PIN. So perhaps that's how the hack is working, not by guessing PINs, but by picking a PIN and guessing the account numbers that use that PIN?

Jaimito Cartero

And there 20 or so PIN numbers that are often picked by customers. You search these only, and you'd get 10-20% success.

(Hint, choosing 1111 for a pin is not a good idea!)

handy72

My account has just been hacked also.

734085 points taken for cameras - not impressed.

geigera

somebody just used 81K for headphones!

MSPeconomist

1234 isn't any better.

Globalist

This seems a quite significant breach,

I have changed my PIN just to be sure but thought it was better to switch to a username/password login which is less logical compared to using an account number can can be found easily.

Now I have a username and password I still see that I can login with my account number and (changed) pin that means now there are two ways into my account..

Not a great security protocol.

Globalist

JBD

That "protocol" was first noticed in one of the two threads I linked above (in post #5), titled "Hilton Honors Website Security".

And note that the thread (currently) ends with this post made on July 9, 2014 by the HHonorsRepresentative:

bigbuy

Yep, mine account was hacked on 9/30/14. The hackers took 466,860 points by ordering 2 Sony products. I emailed Hilton on 10/01 and also called. Within 24 hours, the points were returned and a new HHonors account number and password were issued. I think Hilton has a major security issue on their hands, although they gave me suggestions on how to protect my account. I don't use wifi or laptop/Ipad and only have one computer that is secured with Norton.

HansGruber

Based on all of these issues. I just changed my password and PIN last night. However, I'm wondering if their site isn't falling victim to the BASH Shellshock bug or another BASH vulnerability that was recently detected. Based on the fact that their web forms don't typically work all that well, I'd find it hard to believe they have all their ducks in a row on the security side as well. I would assume this vulnerability could be used to snag account numbers. From there it may just be a matter of brute force trying PIN numbers. However, I'm not a security guy...I'm a storage guy so that's a guess from me.

Moral of the story is change your PIN and password based on what's going on.

card1953

I received an email with a new account number and my points were returned--it's clearly going to require vigilance.