loyalitiz

As seen on Loyalitylobby :

http://loyaltylobby.com/2014/10/30/h...counts-online/

-> change your password asap !

IMH

The blogger you quote got the story from the post immediately above yours (and acknowledged that he had done so).

Changing passwords won't deactivate the PINs that -- as far as I can tell -- are a means to access all HHonors accounts regardless of any settings users change.

MarriotAdovacte

[QUOTE=IMH;23769720]The blogger you quote got the story from the post immediately above yours (and acknowledged that he had done so).



Changing passwords won't deactivate the PINs that -- as far as I can tell -- are a means to access all HHonors accounts regardless of any settings users change.[/QUOTE I've switch over too Marriot never hadp roblem and the hotel staff in each locion is amazing! People need to change there passwords and emails.

I've manage found these.



Here is even one person who has 11 Thousand of are accounts!



Link in his/her thread, http://gyazo.com/a34601f2c938fe4987f2b071fe29577d

JohnMacWW

Embarrasingly, I am not really sure how many points I had (or should have). When I look at All Points Activity in My Account it does not seem to even have a data point for point withdrawals.

How can you look up how points have been used and deducted from your balance?

sethb

Mine shows a certificate issued and a negative number of points associated with that (along with the stay information).

JohnMacWW

So in the same columns for points earned, it shows a negative number?
Well then, I have not been hacked (so far) anyway. But weirdly I cannot find my last use of points either.
I just changed by pin, but that seems pretty weak. It justs 4 digits. Seems to me that having a password just adds another code to guard that can be hacked (i.e. that there is not really any upside, security-wise, to adding and/or using a password instead of a PIN.

MBS MillionMiler

Yeah, paging HHRepresentative....I'm not quite sure how many points I should have...I did redeem twice in this calendar year and nothing is showing up, only my earnings!

myapologies

I hope my post will help some of you all better secure your accounts and also put some pressure on Hilton to beef up their very flawed security measures.

treppenlaeufer

This is one of the most obscure stories I have come across in a while.

1) Thousands and thousands of Hilton accounts get hacked by a simple brute force attack that needs to go through no more than 10000 possible combinations, and there was nothing in the way to stop it
2) Despite numerous reports over the years, Hilton has still not pulled the possibility to exchange Hilton points for giftcards or other reselling goods - that would lower the attraction to Hilton points dramatically for outsiders
3) Despite this being a major security breach ongoing for weeks now, with hard evidence available through online forums, Hilton has not yet commented - there is a huge amounts of personal data available to hackers here (address, stay history, frequent flyer numbers etc)
4) The press/media have not yet picked up on this story
5) To top it all off, one of the hacking forum members turns up (so he/she says), and apologises!!! ...?

Anyone with good connections to media in some country? This story has the potential to go global and that should result in sufficient motivation by Hilton to sort their IT security out...!

mnredfox

Hmm, I seem to be missing points now (albeit only maybe 200K). Anyway to check? In the old days when you redeem for a reservation you would see it show up in account activity. Now I feel like these days when you book a reservation the points are deducted, but then the activity never shows up until the stay occurs.

Am I right here?

MarriotAdovacte

Yes I believe you are right, just a other reason to go to marriot. ^

HansGruber

Changing passwords AND PIN is exactly what I did and I haven't had an issue. Adding the captcha will stop or at least slow the brute force attacks. The same is true for IHG since they have id and PIN too.

wav3rider

Krebsonsecurity is going to be doing a story on this. I was emailing with him earlier and also clued him on the United pin use also.

Fredd

Mrs. Fredd removed her (Hilton) credit card from her account details and finds it back in her account this morning.

Judging by the posts to this thread, this could be a wholesale problem. Think of all the Hilton customers who don't monitor their accounts as carefully as FTers.

Why hasn't Hilton contacted customers, as SPG did recently after a similar problem?

JohnMacWW

I think you are. I booked some reward nights and used up some points. It does not show on my balance. They way they show points it is not really a points account statement. Just a rolling list of additions. Some posters have reported having a negative amount in the points earned collumn but I am definately missing mine. And the way the page is set up, there is not beginning balance/ ending balance feature by any annual period.