Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton Honors Website Security - Accounts hacked Oct 2014

Hilton Honors Website Security - Accounts hacked Oct 2014

Old Oct 18, 14, 7:01 pm
  #61  
JBD
 
Join Date: Apr 2005
Posts: 520
Great job sqeakr! Thanks for making the sticky. ^



I for one have been hoping that the HHonorsRepresentative would comment on all the recent hacks. Erin posted the following in the http://www.flyertalk.com/forum/hilto...a-logging.html thread:
Originally Posted by HHonorsRepresentative View Post
Hi there,

Thanks for your question! At this point, CAPTCHA is a long-term solution and has been implemented as an extra security measure for the safety of our members. I am collecting your feedback each day and passing along to my team so they are looped in on the user experience.

Thanks,
Erin
But she makes no mention as to why HH is implementing this extra security measure now.

I'll repeat my questions I posted above:
Originally Posted by JBD View Post
...question to the community: has anyone seen these reports of hacked accounts on any of the other boards or blogs? Any report of this in any hotel trade papers?

If not, why? Data breaches usually get a lot of coverage...
I'm re-asking these questions, because if in fact there's been no other reporting of this data breach, then currently HH has been able to come away pretty scot-free. And that just doesn't seem right.

What other business, where customer loyalty is such a key to success, could have been notified in public in April of serious website security issues (as HH was according to posts in the beginning of this thread), then have encountered multiple data breaches, which were reported in a public forum where their company has a representative present, and then merely add a new security feature to their website, and make no further comment?

When Target was breached, for instance, apologies were issued, discounts were offered.

I'm glad to see that the FTers who were hacked are receiving their points back. But what about the inconveniences they suffered waiting for their accounts to be reopened, not to mention the aggravation and stress I'd imagine accompanied their ordeal. What about the fact that if points could be taken, then addresses, phone numbers, travel habits were also exposed.

I'd like to see HH acknowledge this breach publicly. And I'd like to see HH not just re-instate the stolen points, but offer proper compensation to those that were hacked.

And, of course, I'd like to see HH actually address their website vulnerabilities rather than use a CAPTCHA bandaid that was not designed for the purpose HH is using it for.

Hilton's not some mom and pop outfit afterall! Where's Hilton's Mea Culpa?
JBD is offline  
Old Oct 19, 14, 6:51 am
  #62  
 
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
Completely Agee.. In another post I outlined 3 hacks in the last 10 days and lost 258,000 points.

They say they'll put them back in but I'll believe it when I see it. I have to open a new email account , new username , new passwords, new pins etc and I have spent $150 calling the Diamond Desk from Thailand as well as wasting valuable hours.

I have the same email on 50 different businesses , banks, airlines etc and never a problem.

And Hilton would like to sweep it under the rug. They have a bunch of incompetents in the IT dept and the Billion $ company has their head in the sand.

Hello Marriott
kapkap46 is offline  
Old Oct 19, 14, 6:58 am
  #63  
 
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
By the way after changing all those things mentioned, I got no response from Hilton either at old or new email address.

So beware!!!
kapkap46 is offline  
Old Oct 19, 14, 7:03 am
  #64  
 
Join Date: Oct 2008
Location: Ramstein, Germany
Posts: 60
When mine was hacked, they deleted my primary email but forgot to delete my secondary email I had listed on my account. So I got an email stating that my primary address was deleted and it had the email of the user that hacked my account CC'd.
USAF_O1 is offline  
Old Oct 19, 14, 8:06 am
  #65  
 
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
They instantly re hacked my account. Called again from Thailand finally got someone with a brain after 4 overseas calls and I don't know how many hours.

Changed my # while I was on the phone , merged the information and I set up all new passwords, pins, usernames etc.

Hopefully that will work but I have no faith in Hilton and anyone out there if you are smart . Protect yourself because all your information including credit cards are available to these Hackers.

And Hilton is doing nothing!!!
kapkap46 is offline  
Old Oct 20, 14, 3:02 pm
  #66  
 
Join Date: Jun 2013
Location: STL
Programs: Southwest A+/CP, Hilton Diamond, National Executive Elite
Posts: 160
Website down again today - captcha now involves words instead of just a few numbers. This is getting out of hand...
aaronp84 is offline  
Old Oct 21, 14, 11:17 pm
  #67  
 
Join Date: Nov 2013
Programs: HH Diamond, IHG Spire, Marriott Silver, WN CP
Posts: 395
Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.
HansGruber is offline  
Old Oct 22, 14, 6:24 am
  #68  
 
Join Date: May 2012
Programs: Hilton Diamond DL Platinum UA 1K, DL Gold, Marriott Gold
Posts: 500
How much easier can it be. They hacked me 3 times after they supposedly fixed it.
kapkap46 is offline  
Old Oct 22, 14, 10:56 am
  #69  
 
Join Date: Jun 2013
Location: STL
Programs: Southwest A+/CP, Hilton Diamond, National Executive Elite
Posts: 160
Mine has been numbers every time so far. Would you prefer that it's easier for your account to be hacked? In the long run eliminating the PINs all together would be the best idea but that doesn't seem to be the case yet.
No, I would prefer they implement a strong password policy instead of a 4 number pin that is figured out in short matter of time.
aaronp84 is offline  
Old Oct 24, 14, 9:50 pm
  #70  
 
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,042
Originally Posted by aaronp84 View Post
No, I would prefer they implement a strong password policy instead of a 4 number pin that is figured out in short matter of time.
With 4digit numeric pins, solution is easy enough.... HH can simply stop brute strength attacks by implementing an increasing interval after nn failed password attempts.

eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'

if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts

if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)

AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.
scubaccr is offline  
Old Oct 24, 14, 11:05 pm
  #71  
FlyerTalk Evangelist
 
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy Titanium, Hyatt Explorist, others
Posts: 11,594
That doesn't work at all: they get 1,000,000 account numbers, and try each one with one PIN. On average, they'll crack about 100 of them, without trying any account twice.
sethb is online now  
Old Oct 25, 14, 8:27 pm
  #72  
 
Join Date: Aug 2012
Location: New York
Posts: 158
Originally Posted by scubaccr View Post
With 4digit numeric pins, solution is easy enough.... HH can simply stop brute strength attacks by implementing an increasing interval after nn failed password attempts.

eg
3 attempts ok back to back is fine, allows for incorrect entry, especially non-pin passwords when accidentally i have set keyboard as 'caps on'

if password 1-3 attempts invalid, force wait 30minutes before being allowed another 3x retry password attempts

if 4th-6th password attempts invalid, force wait 2hours before allowed retry password 3x again
(and keep to this 2hour delay there after)

AND when you legitimately log on with next good password, HH can flash up on screen message like
"nn Un-Sucessful login attempts since last logon" to warn of attempted hack attempts.
I think they typically use proxies to change their IP address. It's not easy to enforce.
AnthonyF1227 is offline  
Old Oct 26, 14, 4:03 am
  #73  
 
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,042
Originally Posted by AnthonyF1227 View Post
I think they typically use proxies to change their IP address. It's not easy to enforce.
The issue of which IP hackers use is not relevant.

HH system would be controlling the 30min/120min password entry lock this methedology is widely used elswhere when using simply 4x numeric passwords (and sometimes even password entry) , not some cookies on the members browser.

The other post saying hackers will try 1,000.000 accounts with same password presupposes a list of 1million good account numbers, a randomly created list of a million accounts will not be possible

Also 4numeric passwords are not randomly disributed, users need values easier to remember, often dates (not necessarily birthdays/anniversary dayes though) so nnnn is often aa + bb where aa=1-12/1-31 and bb=1-12/1-31 and in effect less than 20% of possible number pin combos account for 80% of actual pin numbers.
scubaccr is offline  
Old Oct 27, 14, 10:20 pm
  #74  
 
Join Date: Dec 2013
Programs: NZ Airpoints GE, Qantas Platinum, Accor Platinum, Hilton Diamond
Posts: 443
Sign-in is pretty useless these last three days for me.
Enter my password (number) and Captcha words (they seem to have stopped number pictures) and upon signing in I get the session expired page. Start again and same outcome. I have made six personal reservations despite this carry-on and am trying to give them a seventh business travel booking.
As I live in New Zealand my most active time on the Hilton website usually tends to be when they assume most are asleep, so I often bump into site maintenance signs, too.
CHCflyer is offline  
Old Oct 29, 14, 3:05 pm
  #75  
 
Join Date: Oct 2014
Posts: 2
Hi, everyone.

I made an account on this forum to make you all aware of a blackhat forum where the selling of your cracked Hilton HHonors accounts are bought and sold.

I am a member of said forum, but I think that it is wrong that they are doing this to you all.

The website is http://leakforums.org or http://leak.sx. They're both the same website. Now, you'll have to create an account on the forum and then visit this forum thread http://leakforums.org/thread-367084. You can't see it without first making an account.

The thread looks like this

Post: #1(This post was last modified: 10-27-2014 12:58 AM by Imperfectluck.) The Cheapest HHonor Hilton Bulk Available FAST and ONLINE
Currently Stocked on HHonorHilton accounts!
You can view what you can get with how many points by looking here, Points Catalogue. Remember these are cracked accounts thats why they are cheap, most them have been inactive and all are checked and I know exactly how much is in which. View things you could buy is say with 30k point account you can get a $50 Giftcard etc, for those who all don't know about HHonor Hilton. I'm pretty active so expect fast accounts, all are checked and I know how much are in which.

Payments BTC/PP only

30k-39k - $1.50 cents.
40k-49k - $2
50k-59k - $2.50
60k-69k - $3
70k-79k - $3.50
80k-89k - $4
90k-100k - $4.50


Please Post here then send me a PM. prices could vary.

T.O.S
1. I'am not responsible for what you choose to do with the accounts after purchase.
2. If account does not work moment after purchase a refund will be issued or replace with a new account.
The name of this seller is Imperfectluck.

Maybe presentation of some of this stuff to Hilton will make them a bit more motivated to fix things.
myapologies is offline  

Thread Tools
Search this Thread
Search Engine: