Consolidated "Hilton Honors Account Hacked" thread
Dec 28, 2014, 3:41 pm
#122
Join Date: Jun 2009
Location: SIN
Programs: TK-G | Accor P | SQ-G | Marriott T
Posts: 3,828
this is the reply from them
I am very sure that my account has been hacked as I do not know what is Maritz
I apologize that the redemption is not listed on our website and we do not have information on what you ordered from our
Shopping Mall.
The reward was from Maritz. You can contact them at: www.hiltonhonorsshopping.com or you can call them at:
1-866-540-9745 from Monday through Friday 8:00 AM to 4:30PM Central Standard Time.
Shopping Mall.
The reward was from Maritz. You can contact them at: www.hiltonhonorsshopping.com or you can call them at:
1-866-540-9745 from Monday through Friday 8:00 AM to 4:30PM Central Standard Time.
Dec 28, 2014, 5:42 pm
#123
Join Date: Dec 2002
Location: SMF
Programs: AA EXP 4MM
Posts: 811
Your account was hacked. So was mine and many others. There is a thread about this started I believe in September 2014. You will need to call Maritz and tell them you did not order anything. Then you will need to call HHonors and ask for your points to be reinstated, and ask for a new account number.
Dec 28, 2014, 5:56 pm
#124
Suspended
Join Date: Oct 2003
Location: New York, NY
Programs: Delta - Gold; Starwood - Platinum; HHonors - Diamond & Avis Preferred
Posts: 10,869
I have not been login into my account for sometimes. Today I tried to login and it fails. I tried to reset my password also fail.
I emailed the CS and they asked me to confirmed my mailing address and phone number before they can reset my password.
I did not think much.
Once i managed to login, I notice I only have 134 points. I should have 50,134.. Also the second email is strange gmail account which I override it with my gmail account.
I was told that there is shopping on September 2014 for 50,000 points. I did not remember I do any redeemption and this is not listed under ALL Activities.
I also notice that I have not received any email from HHonors since sometimes and my milesBuster complain about problem login into my HHonors.
The CS also said "You will begin to receive all future mailings at your new email address within 3 weeks. " Seems to me the reason I did not recieve any email from HHonors because the email has been changed.
Seems like my account has been hacked and i missed 50,000 points. Anything can be done to recover this 50,000 points?
I emailed the CS and they asked me to confirmed my mailing address and phone number before they can reset my password.
I did not think much.
Once i managed to login, I notice I only have 134 points. I should have 50,134.. Also the second email is strange gmail account which I override it with my gmail account.
I was told that there is shopping on September 2014 for 50,000 points. I did not remember I do any redeemption and this is not listed under ALL Activities.
I also notice that I have not received any email from HHonors since sometimes and my milesBuster complain about problem login into my HHonors.
The CS also said "You will begin to receive all future mailings at your new email address within 3 weeks. " Seems to me the reason I did not recieve any email from HHonors because the email has been changed.
Seems like my account has been hacked and i missed 50,000 points. Anything can be done to recover this 50,000 points?
Dec 28, 2014, 6:02 pm
#125
Join Date: Nov 2008
Location: Snohomish, WA
Programs: AS MVP Gold, HHonors Diamond
Posts: 2,793
Dec 28, 2014, 7:59 pm
#126
Join Date: Jun 2009
Location: SIN
Programs: TK-G | Accor P | SQ-G | Marriott T
Posts: 3,828
Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.
Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.
Thank you anative for starting this thread.
Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.
Thank you anative for starting this thread.
If I did not try to login into my account yesterday and failed, I probably still in the dark about this.
I never believe on storing my credit card detail in hotel website. I only left it with paypal infact.
I called the number in China which help me to log the case and follow up with the email to US. Any idea how long it will take? It is clear a hacking issue as the 50,000 points are used in the www.hiltonhonorshoping. Is this a legit Hilton website?
What amazed me when I asked this why it is not automatically trigger investigation, as it sounds to me it is quite "common" occurrence which Hilton should know about it.
Any idea also why this "redemption" is not listed under my transactions history?
Last edited by lingua101; Dec 28, 2014 at 9:13 pm
Dec 28, 2014, 8:51 pm
#127
Join Date: Jun 2009
Location: SIN
Programs: TK-G | Accor P | SQ-G | Marriott T
Posts: 3,828
Now I think I should not "remove" the evidence.
No wonder I cannot reset my password as the system complain the information is not matched. Also when I email the CS, they asked me for more information and then said "your email has been changed" which I did not think so much until I found out something wrong with my account.
The good practice when email is being changed is 2 emails are being send out to both old and new email. Hilton has failed on this.
Dec 28, 2014, 10:37 pm
#128
Join Date: Jun 2009
Location: SIN
Programs: TK-G | Accor P | SQ-G | Marriott T
Posts: 3,828
Dec 29, 2014, 4:37 am
#129
Join Date: Oct 2009
Location: West Chester, OH
Programs: Delta SM, Hilton Honors Diamond, Marriott Silver
Posts: 254
I guess I'm one of the lucky ones that hasn't been hacked. Thanks to all for the information in this thread. I've looked but don't seem to find info related to my question, but how do you change from HH#/PIN to username/PW for login? I'm still on the former.
Dec 29, 2014, 8:15 pm
#130
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,933
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Dec 30, 2014, 5:03 am
#131
Join Date: Oct 2009
Location: West Chester, OH
Programs: Delta SM, Hilton Honors Diamond, Marriott Silver
Posts: 254
It doesn't matter. All you can do is add a password, but the PIN login stays functional. So even if you start using the password yourself, the still-active PIN remains the weak link.
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Jan 2, 2015, 6:39 pm
#132
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
It doesn't matter. All you can do is add a password, but the PIN login stays functional. So even if you start using the password yourself, the still-active PIN remains the weak link.
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Hilton would have to change it at their end (like Delta just did in recent months) to totally replace the PIN with only a password.
(And while Delta has gotten rid of PINs for online login, UA and BA still have them, and they're undoubtely not the only ones besides Hilton.)
Jan 4, 2015, 3:00 pm
#133
Join Date: May 2010
Location: Rockin' the Bakken
Programs: Several
Posts: 978
Just a heads up to everyone, my account was hacked.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.
When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.
Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.
Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
Jan 5, 2015, 1:37 pm
#134
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 228
Are there any other (authentication:login) security professionals here?
Hilton's latest robot:captcha approach to their hacking vulnerability strikes me as amateur hour. I'm looking 1:2 others willing to collaborate on recommendation for Hilton.
Hilton's latest robot:captcha approach to their hacking vulnerability strikes me as amateur hour. I'm looking 1:2 others willing to collaborate on recommendation for Hilton.
Jan 7, 2015, 11:15 am
#135
FlyerTalk Evangelist
Join Date: Jun 2003
Location: DEN
Programs: UA MM Plat; AA MM Gold; HHonors Diamond
Posts: 15,866
I would wait on the "amateur hour" accusation. I suspect that clicking in a particular place on a web page isn't that easy for a robot; otherwise the Captcha folks wouldn't have instituted that methodology.