Hilton Honors Website Security - Accounts hacked Oct 2014

Reply Subscribe

Thread Tools

Search this Thread

Nov 2, 14, 1:33 pm

#91

sethb

FlyerTalk Evangelist

Join Date: Jun 2004

Location: MSP

Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others

Posts: 12,044

Under "My Points / All Points Activity" I see a stay showing -150,000 points, and another stay showing -60,000 points.

I don't currently have any upcoming points reservations to see how those would show.

Nov 2, 14, 1:37 pm

#92

JohnMacWW

Join Date: Dec 2010

Location: Sacramento, CA

Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star

Posts: 656

[QUOTE=sethb;23779955]Under "My Points / All Points Activity" I see a stay showing -150,000 points, and another stay showing -60,000 points.
QUOTE]

Does either negative entry correspond to something you know what it is (i.e. where you redeemed something etc)?

Nov 2, 14, 3:07 pm

#93

sethb

FlyerTalk Evangelist

Join Date: Jun 2004

Location: MSP

Programs: DL PM, MM, NR; HH Diamond, Bonvoy LT Gold, Hyatt Explorist, IHG Diamond, others

Posts: 12,044

Quote:

Originally Posted by JohnMacWW

Quote:

Originally Posted by sethb

Under "My Points / All Points Activity" I see a stay showing -150,000 points, and another stay showing -60,000 points.

Does either negative entry correspond to something you know what it is (i.e. where you redeemed something etc)?

They both correspond to stays, and seem to be at the correct rates for those hotels. The dates shown are the dates of those stays.

Nov 2, 14, 9:41 pm

#94

mnredfox

FlyerTalk Evangelist & Ambassador: China

Join Date: Aug 2005

Location: DEN

Programs: DL DM/MM, UA 1K, AA Exp, HH Dia, WOH Glob, IHG Plat, Marriott Gold, NA EE, Hertz PC

Posts: 17,374

Quote:

Originally Posted by JohnMacWW

I think you are. I booked some reward nights and used up some points. It does not show on my balance. They way they show points it is not really a points account statement. Just a rolling list of additions. Some posters have reported having a negative amount in the points earned collumn but I am definately missing mine. And the way the page is set up, there is not beginning balance/ ending balance feature by any annual period.

Well then, this makes it easier for hackers now. How hard is it to show pts when they have been deducted?

Nov 4, 14, 6:53 am

#95

JohnMacWW

Join Date: Dec 2010

Location: Sacramento, CA

Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star

Posts: 656

Quote:

Originally Posted by mnredfox

Well then, this makes it easier for hackers now. How hard is it to show pts when they have been deducted?

They can certainly do it but it will take some website reworking, that if for sure. But it seems apparant that the current approach they are taking is not being used consistently. Sometime a negative number is used in the points acquired column, but other times it is never evenlisted.

Since there is no reporting period where they summ up your balance (beginning balance, points earned, points used, closing balance) they are certainly making it harder to even notice if points are lost.

Nov 4, 14, 7:21 am

#96

msmont

Join Date: Jun 2006

Programs: Delta - Plat, Hilton - Diamond

Posts: 139

Wow, I haven't had my account hacked, but was wondering about the Captcha now required. I'm surprised it took this long to hack, PIN codes are very insecure and I doubt anyone uses them to login.

BTW also agree that it's wrong for the CSR can see our passwords. One time they asked for it over the phone to verify it's me. What system allows their personal to see passwords? I might re-use that password for my bank or credit card, heck I might have swear words in my password and don't want to say them out loud to a person over the phone.

Nov 4, 14, 2:41 pm

#97

elg26

Join Date: Jan 2014

Location: NJ

Programs: United Silver, Hyatt, Marriott Gold, HHonors Gold, Amex Plat, Global Entry

Posts: 751

Stupid question. People are asking why isn't media covering this.

My question is why isn't it on home page of FT??

Nov 4, 14, 3:44 pm

#98

AKCuisine

Join Date: Feb 2013

Location: ANC

Programs: AS; Hyatt; Bonvoy

Posts: 1,718

Quote:

Originally Posted by Fredd

Mrs. Fredd removed her (Hilton) credit card from her account details and finds it back in her account this morning.

Judging by the posts to this thread, this could be a wholesale problem. Think of all the Hilton customers who don't monitor their accounts as carefully as FTers.

Why hasn't Hilton contacted customers, as SPG did recently after a similar problem?

I have tried repeatedly - and unsuccessfully - to remove my credit card from my HH account. Has anyone been able to take this step?

My pin & PW have been changed but I'd like to remove my card number, too, given how lax Hilton has been with their website security.

Nov 4, 14, 4:10 pm

#99

sdsearch

FlyerTalk Evangelist

Join Date: Jan 2005

Location: home = LAX

Posts: 25,779

Quote:

Originally Posted by msmont

I might re-use that password for my bank or credit card.

In this era of data breaches, that's exactly what the hackers are hoping for: That they'll figure out one of your more valuable logins based on the login they stole.

That's why you should try to never use the same password at sites of different need of security (and best if you never reuse a password exactly the same at all for any site where anything could be stolen from you).

Now, if you need a password to read a newspaper online, there's not that much harm that could come from having that password be stolen. But a bank???

Nov 4, 14, 4:13 pm

#100

sdsearch

FlyerTalk Evangelist

Join Date: Jan 2005

Location: home = LAX

Posts: 25,779

Quote:

Originally Posted by AKCuisine

Well, have you tried changing it to a different card? Such as one which you have cancelled or a Visa/MC/Amex gift card that you've used up? I don't think the website checks for whether funds are available on the card until / unless you try to book a room with it.

Nov 4, 14, 4:14 pm

#101

fozziedoggie

Join Date: Sep 2011

Location: SFO/SMF

Programs: Holder of six "persona non-grata" awards

Posts: 1,911

Need the mobile app. Go to your cc info in the mobile app and delete the card (for iPhone/iPad, you finger "swipe" the card info across the screen and a delete option comes up).

Quote:

Originally Posted by AKCuisine

Nov 4, 14, 5:09 pm

#102

AKCuisine

Join Date: Feb 2013

Location: ANC

Programs: AS; Hyatt; Bonvoy

Posts: 1,718

Quote:

Originally Posted by fozziedoggie

Need the mobile app. Go to your cc info in the mobile app and delete the card (for iPhone/iPad, you finger "swipe" the card info across the screen and a delete option comes up).

I just tried that & got excited when it looked like it accepted the deletion on the mobile app. But then when I go back and log into the regular website, the card is still listed in my account ...

Looks like I'll try sdsearch's method and add an expired card, then set that as primary & try deleting my HHonors credit card.

We shouldn't have to go through all of these steps to try to safe guard our information.

Nov 4, 14, 6:28 pm

#103

Hackforums

Join Date: Nov 2014

Posts: 2

Proof of HForums doing the dirtywork

I actually have no connection with the sales/buying or activity of the illegal and abuse and trouble that this causes people. I had my credit card stolen about 4 months back. You can get your stuff back but it is just ridiculous what is going on these days.. When my card was stolen they sent $400 to some flower business in the UK. I never heard what happened besides me getting my money back

http://i.imgur.com/7Y8R4i0.png

up at the top it shows the link to that page you need to register to see it.

Last edited by squeakr; Dec 4, 14 at 11:02 pm Reason: image too large

Nov 4, 14, 6:29 pm

#104

Hackforums

Join Date: Nov 2014

Posts: 2

whelp here is an example of what is happening to you honor points and where it is sold the link is in the top of the immage.

http://i.imgur.com/7Y8R4i0.png