Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton Honors Website Security - Accounts hacked Oct 2014

Hilton Honors Website Security - Accounts hacked Oct 2014

Old Oct 3, 14, 2:33 pm
  #46  
 
Join Date: Sep 2011
Location: Haywards Heaths, England
Programs: HH D, IHG G, SPG G
Posts: 47
Haven't posted on here for a while.... but there is obviously a major hack going on judging by the number of folks on here just hacked...and add me to that list - this morning I had over 250000 points, I then got an email from the Hilton Hhonors Shopping Mall thanking me for my purchase....I checked my account and I only had 1000 points left.....someone had changed all the address and email preferences...but for good measure they must have noted my email address and are now spamming it.....

Michelle at the Diamond Desk was very sympathetic and helpful though!

Be vigilant folks!
wildthing271 is offline  
Old Oct 4, 14, 9:53 am
  #47  
 
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,044
Originally Posted by Globalist View Post
This seems a quite significant breach,

I have changed my PIN just to be sure but thought it was better to switch to a username/password login which is less logical compared to using an account number can can be found easily.

Now I have a username and password I still see that I can login with my account number and (changed) pin that means now there are two ways into my account..

Not a great security protocol.

Globalist
Sorry this won't save you. Yes you can choose an account name and password , which is what I did durng my HH signup some years ago.

However on my first call to HH desk, i was asked by phone system before being put through for account number and 2 random first/second/third/fourth digits of my pin number, to screen and confirm ones userid so that when you reach live person you are already validated.

The HH person I queried when put through said , i still have a PIN number and they caused it to be emailed, which i immediately reset and deliberately forgot.

So any hacker can try any number of 'madeup' account numbers of right length and pin passwords of 0000-9999 as an easy bruteforce hack. ACCT/ PIN combo is still associated even if you used name/password from signup day instead.

Obviously hacker is only interested in high value accounts pointswise for redeeming the points. On IHG Summer2012 it was to untraceable amazon e-vouchers to the accounts changed email address (IHG did not notify original email address of such email address changes)


I think it is crazy that elite programs expect us to remember some long 8-12-16 digit member number, where ever possible I use a name instead (so much easier to remember), and also a password if allowed (versus a pin). Some of my programs now belatedly allow the name-type extra signon such as KLM for me .. although as both me/girlfriend registered on same email address we can't make use of the KLM change.

Last edited by scubaccr; Oct 4, 14 at 10:01 am
scubaccr is offline  
Old Oct 7, 14, 12:10 pm
  #48  
 
Join Date: Oct 2014
Posts: 1
Ouch!!

Well add us to the growing list! 550,000 points....Ouch!! Good thing we booked a Hawaii trip with 350,000 points or they would have taken those. Account is now frozen...and being told to be patient while they work things out. Good to hear people are getting their points back! Right? Would love to hear if anyone has any suggestions..as to what worked for them to get their points back. Not only is the Pin system archaic but I think emailing your actual password or pin when requested is old too. Seems like most sites ask you to answer secret questions or ask you to change your password in order to give you access...so Hilton if you're reading this...time to update! My husband travels "a lot". He loves being a diamond member and likes staying at Hilton hotels. Ok I'm done ranting Good to have a place to vent...thanks.
jtumbleweed is offline  
Old Oct 8, 14, 9:25 am
  #49  
 
Join Date: Oct 2013
Location: Copenhagen, Denmark
Programs: Mainly Hilton Hhonors, SAS Eurobonus
Posts: 1,981
Seems like something is happening re security :
When I just logged in now with password and pin code, I was also asked to type in the numbers shown on a picture.
helosc is offline  
Old Oct 8, 14, 9:46 am
  #50  
 
Join Date: Sep 2011
Location: SFO/SMF
Programs: Holder of six "persona non-grata" awards
Posts: 1,903
Originally Posted by helosc View Post
Seems like something is happening re security :
When I just logged in now with password and pin code, I was also asked to type in the numbers shown on a picture.
It's a small step, but we really need to be able to select a more robust password overall. Most of my banking passwords, etc., are over 10 digits.
fozziedoggie is offline  
Old Oct 9, 14, 4:37 am
  #51  
nrr
 
Join Date: Jul 2003
Location: jfk area
Programs: AA platinum; 2MM AA, Delta Diamond, Hilton Diamond
Posts: 8,781
Many websites let you set-up a 2-step verification system: if you are not using a "known" computer to login, you must enter a 2nd code--sent to your cellphone as a text message (or home phone, as a voice mail message); this is inconvenient, but helpful in defeating hackers.
nrr is offline  
Old Oct 10, 14, 10:46 am
  #52  
 
Join Date: Sep 2008
Location: LAX
Posts: 194
add one to the victims list... just had a few hundred thousand points drained to purchase some british gift cards..

working with CS to open a fraud case now..
bradcc is offline  
Old Oct 10, 14, 6:20 pm
  #53  
 
Join Date: Jun 2000
Location: YYZ
Programs: AC, AA, UA, BA, Hilton
Posts: 2,906
Looks like the locked in CC problem still exists, as I'm currently in contact with the HHonors rep on FT who's also working on getting my CC removed from the Hilton website. So the problem still exists and the "delete" button still doesn't work, at least for me. And I tried different end dates, tried to switch the CC number, still the original number and dates come up. So it's not a new problem, and should have been resolved by Hilton many months ago.

bj-21.
blackjack-21 is offline  
Old Oct 10, 14, 7:05 pm
  #54  
JBD
 
Join Date: Apr 2005
Posts: 521
Originally Posted by blackjack-21 View Post
...So it's not a new problem, and should have been resolved by Hilton many months ago...
Exactly!

The issues in this thread were brought to Hilton's attention several months ago. The HHonorsRepresentative supposedly was "on it".

But now we've had not an insignificant number of people reporting they've had their accounts hacked and points stolen (which as noted up thread was always my primary concern with the sorry state of security on Hilton's website), as reported here:

http://www.flyertalk.com/forum/hilto...r-changed.html

I keep linking all these threads in the hope that the main issue, Hilton's website not safeguarding our accounts, would receive more attention so that Hilton would be more pressured to get this fixed - now.

And question to the community: has anyone seen these reports of hacked accounts on any of the other boards or blogs? Any report of this in any hotel trade papers?

If not, why? Data breaches usually get a lot of coverage.

Can we at least make a sticky with these threads?

This matter is not trivial.
JBD is offline  
Old Oct 17, 14, 12:59 pm
  #55  
 
Join Date: Oct 2008
Location: Ramstein, Germany
Posts: 60
HHonors Account Hacked!

I just received several emails from HHonors where someone has hacked into my account, changed ALL of my information to an address in Poland, my PIN number, my email address, password, etc. They also spent over 195,000 of my points on a Beats by Dr. Dre headset. I called HHonors and they said I'm not the only one with this problem, several others have called in. GO INTO YOUR ACCT NOW AND CHANGE YOUR INFORMATION!!

Hope no one else has been hacked!
USAF_O1 is offline  
Old Oct 17, 14, 1:21 pm
  #56  
 
Join Date: Nov 2013
Programs: HH Diamond, IHG Spire, Marriott Silver, WN CP
Posts: 395
There is another thread on this.

http://www.flyertalk.com/forum/hilto...r-changed.html

You are the first to report this since they added captcha but I have a feeling they got your data before that.
HansGruber is offline  
Old Oct 17, 14, 4:58 pm
  #57  
 
Join Date: Sep 2013
Location: Paradise
Posts: 1,044
Curious, if they changed your email address how did Hilton send you an email informing you? I would think the account would send any mail to the newly listed email.
Yellowjj is offline  
Old Oct 17, 14, 5:06 pm
  #58  
 
Join Date: Feb 2014
Programs: Amex Plat, Hilton Diamond, SPG Gold, Carlson Gold, CM Presidential / *A Gold, Hertz 5*
Posts: 989
Originally Posted by Yellowjj View Post
Curious, if they changed your email address how did Hilton send you an email informing you? I would think the account would send any mail to the newly listed email.
Do they email the old address, once it is changed to new email address, stating that the account's email address has been updated and to please contact them asap if it was not done by the account holder?
pmarrsouth is offline  
Old Oct 17, 14, 7:15 pm
  #59  
 
Join Date: Feb 2009
Programs: IHG,Hyatt, Hilton Diamond, Marriott, Wyndham, SPG, United, Delta, Alaska, AA, Southwest
Posts: 5,272
Originally Posted by pmarrsouth View Post
Do they email the old address, once it is changed to new email address, stating that the account's email address has been updated and to please contact them asap if it was not done by the account holder?

When you make any changes to your Hilton account I believe you get an email t verify you made the changes.


When I log into Hilton now see word challenge so they are addressing the problem
flyer4512 is offline  
Old Oct 18, 14, 2:43 pm
  #60  
 
Join Date: Sep 2011
Location: Haywards Heaths, England
Programs: HH D, IHG G, SPG G
Posts: 47
As soon as I was aware of the 'hack' I called the Diamond Desk..it took some time with the involvement of their fraud team, but they took a new email address from me...my account was then locked for about 10 days which caused some pain, but after that I received a new account number, and my points were restored....
wildthing271 is offline  

Thread Tools
Search this Thread
Search Engine: