HHonors Points Stolen Through Amazon.com
#136
Join Date: Oct 2000
Location: Seattle WA, USA
Programs: Hilton Diamond, Marriott LT Plat, AS Lounge
Posts: 3,478
Thanks for the data point. It's encouraging. I did an award reservation yesterday online and it did not trigger the 2FA. So maybe, at least for now, it's only for use when we call in.
#138
Join Date: Aug 2019
Posts: 1
Hilton Honors points stolen
Apparently the points stealing schemes are still going on. I received 2 emails yesterday from Hilton saying that my HHonors points had been redeemed through Amazon.com. I immediately logged into my Hilton account and I've gone from approx 268,000 down to 1000, so around 267,000 were stolen. No idea how this could have happened. Email stated to call Amazon if there is a problem with the transaction or if I was not the one who placed an order. It doesn't make sense that they say they cannot track down a transaction using my Hilton number as there has to be some kind of record of the points transfer from Hilton. I don't know if there are other sources I can contact to get this situation taken care of.
Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.
Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.
I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.
Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.
Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.
Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.
I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.
Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.
#139
Join Date: Jun 2012
Location: Michigan
Programs: DL PM
Posts: 855
Regarding the dual factor authentication sub-topic of this thread, I signed up for DFA a while back and have not been prompted to use it any time I've logged into my account. But, yesterday I called to book a night with an AMEX weekend certificate and needed the DFA for the redemption. It was awkward because the SMS didn't send right away so the agent went on hold a couple times and came back an asked me if I received it. Took a few minutes but the code did finally come through.
It seems kind of pointless to use the DFA when you call in for a redemption since they verify your e-mail address and phone number when you call in regardless, but at least it seems like it may be triggered for a points redemption even if it is not triggered when you log in. I haven't tested this with an online points redemption yet, though.
It seems kind of pointless to use the DFA when you call in for a redemption since they verify your e-mail address and phone number when you call in regardless, but at least it seems like it may be triggered for a points redemption even if it is not triggered when you log in. I haven't tested this with an online points redemption yet, though.
#140
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,933
is DFA online only for non-hotel redemptions?
Someone posted in another thread the other day that some time back (a year or two ago?) Hilton advised them to set up something like dual-factor authentication (DFA) that would kick in if a redemption other than for a hotel was tried.
When looking a recent posts,,I see people saying things like they tried it for an online hotel redemption and it didn't kick in. Well, did anyone who set up DFA try it for a non-hotel redemption of any kind?
Hackers are less likely to book a hotel in your name, more likely to try to redeem for gift cards, store purchases, and stuff like that. So it'd be useful and yet convenient IMHO if DFA didn't apply to hotel redemptions but did apply to other kinds of redemptions that hackers prefer. But is that how it works?
When looking a recent posts,,I see people saying things like they tried it for an online hotel redemption and it didn't kick in. Well, did anyone who set up DFA try it for a non-hotel redemption of any kind?
Hackers are less likely to book a hotel in your name, more likely to try to redeem for gift cards, store purchases, and stuff like that. So it'd be useful and yet convenient IMHO if DFA didn't apply to hotel redemptions but did apply to other kinds of redemptions that hackers prefer. But is that how it works?
#141
Join Date: Aug 2002
Location: NYC
Posts: 335
That would be fine, except right there's nothing keeping someone from deactivating 2FA on your Hilton account without you being notified.
For example, I just:
1) logged into my Hilton account
- was not asked for 2FA to log in
2) went to the profile page and deactivated 2FA
- was not asked for 2FA to deactivate it
- was not notified by text or email that 2FA had been deactivated.
For example, I just:
1) logged into my Hilton account
- was not asked for 2FA to log in
2) went to the profile page and deactivated 2FA
- was not asked for 2FA to deactivate it
- was not notified by text or email that 2FA had been deactivated.
#142
Join Date: May 2007
Location: Seattle area
Programs: Peasant at large
Posts: 595
Maybe this is one of Hilton's lifetime experiences thingy. Exchange a few hundred thousand HH points for a security theater + reality show starring 2FA and YOU!!!
#143
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
Just experienced this for the first time this past Sunday. I had 300,000 stolen from my Honors account. I spoke with the Diamond Desk Sunday morning and they assured me I would have a new account with the points reinstated within 5 days. I have a few questions for those who have experienced this:
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
Thanks for any help/feedback.
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
Thanks for any help/feedback.
#144
Join Date: Jul 2017
Location: Ohio
Programs: Hilton Diamond, Marriott Titanium, Hyatt Globalist, American Platinum, Southwest A-list
Posts: 98
Just experienced this for the first time this past Sunday. I had 300,000 stolen from my Honors account. I spoke with the Diamond Desk Sunday morning and they assured me I would have a new account with the points reinstated within 5 days. I have a few questions for those who have experienced this:
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
Thanks for any help/feedback.
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
Thanks for any help/feedback.
#145
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
These are very good questions and I would like to add one more to the mix. For anyone who received a new Honors account after a fraud issue, was the entirety of lifetime base points/nights/stays transferred to the new account? This is important to anyone seeking lifetime Diamond status. I can imagine how frustrating it would be to have earned 990 lifetime nights when fraud strikes, only to embark on a new battle with Hilton using a new account number that hasn’t imported all the data from the previous account!
Thanks for sharing. This is another good point that I will inquire to the Diamond Desk about after sorting things out with Fraud Protection. My experiences with the Diamond Desk and Hilton customer service have generally been positive. It's a shame there isn't a way to communicate with HH Fraud Protection via phone because now would really be a good time to speak with someone to ask questions to better protect myself in the future and try to figure out how this is happening.
Last edited by Canarsie; Aug 28, 2019 at 10:50 am Reason: Consolidation.
#146
Join Date: Feb 2017
Programs: LT Marriott Titanium, Hyatt Globalist, Hilton Diamond, IHG Plat, Hertz Prez Circle, United Platinum
Posts: 767
It's basic security - you NEED to be using strong, unique passwords across EVERY website and service you visit. If you use the same password it's not a case of IF you'll be hacked, but WHEN.
Have unique strong passwords and a password manager and the Internet would be a much safer place for everybody. If you use the same password across multiple sites and your password(s) are currently on haveibeenpwned your chances of being compromised are significantly escalated.
Have unique strong passwords and a password manager and the Internet would be a much safer place for everybody. If you use the same password across multiple sites and your password(s) are currently on haveibeenpwned your chances of being compromised are significantly escalated.
I don't have a single password, but I've got ~30 different password protected accounts. Many of them share the same username and password or a variant. Many are accessed daily; some are accessed very sporadically. It would be nice to have a simple life where one only has a few password protected accounts so that you can use unique usernames and UNIQUE STRONG passwords on each of them. Most of us don't have such a simple life.
I haven't been hacked ... yet. I will continue to do this until I get hacked.
Note that most accounts don't allow you to change the username.
And I'd say that the problem isn't people using the same password, it's not having 2FA on accounts. The problem isn't the end user, it's the company that doesn't secure their customer accounts.
My points were stolen on July 19, at which time I was told I'd have them back in 24-48 hours. I then received an email saying 7-10 business days. Today I called to check up on what's going on (still no points!) and was told it would take about 30 days because the FBI and Interpol are working the case and cannot reinstate the points until their investigation of "all the relevant IP addresses" is complete. So thorough! Interpol, even! Maybe they will get James Bond and Jack Reacher on the case!
Last edited by Canarsie; Aug 28, 2019 at 10:51 am Reason: Consolidation.
#147
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
- This is still unclear. I'm still getting a lot of spam emails - far more than ever before, however, I have them filtered in my gmail account so it isn't too much of a disturbance.
- I did not receive a new HHonors number. I'm not sure what to think of this since it seems others who faced the same issue were given a new one. I'm happy I didn't because I didn't want to lose my stay history and I'm not sure that getting a new account would have taken any further measures to stop the hacks. Previously, I had a password unique to my Hilton account and I created a new password unique to only my Hilton account. I have 2 factor authentication activated like before, however, I don't think this feature works properly. It's my understanding that I'm supposed to receive a verification text upon logging in, but I still don't.
- My HHonors number is once again linked to my AmEx account.
- Since my HHonors account did not change, neither did my total stays/nights count.
I'll continue to post in this thread should I encounter any new experiences.
#148
Join Date: Sep 2019
Programs: Hilton Honors
Posts: 1
Add me to the list of Hilton Honors members having their points stolen. I've read the thread and it went exactly as stated. Email linking account to Amazon and subsequent emails with transaction notifications. I've contacted Hilton and had my account suspended. I'll be waiting to hear from the fraud team and hopefully the just over 104,000 points will be reinstated.
I found this forum through a google search so thanks to everyone for your discussion of the issue.
I found this forum through a google search so thanks to everyone for your discussion of the issue.
#150
Join Date: Dec 2018
Location: PHX
Programs: Delta DM, Marriott Lifetime Titanium, HHonrs Diamond
Posts: 1,336
This HHonors/Amazon hack is still going on and Hilton has not done anything to fix this very vulnerable IT threat.
There are tons of hacks of companies (Starwood for one) and huge databases of emails and passwords from those hacks out there that anyone can access or purchase and begin hacking away at other commonly used accounts that have an easy gain.
Hilton uses a username, not just the HHonors member number for logins, which is a flaw. Most people share usernames across platforms or use the beginning of their email address before the "@". So a database with emails addresses/logins and passwords is a very fertile area. Even better if the data is from another hotel site. And I would bet this way, and not keyloggers and theft from hotel wi-fi is the way 99% of the people on this forum are getting HHonors points hacked.
Hacking a Hilton Honors account has the most to gain because you can quickly link the points to burner Amazon account, buy a gift card and cash out in seconds. No trail to catch them compared to hacking a bank account since there has to be another account to receive the money.
Moreover, aware of this vulnerability, I linked my HHonors to my Amazon back in April so that it could not get linked to a burner Amazon account in such a manner. However, I found out today that one can link a single HHonors account to THREE different Amazon accounts. So if your one Amazon prime account is already linked for safety, even if you have no intention of using the points, it doesn't even help. Nobody has to delete that in order to spend HHonors points at another Amazon account.
It says a lot about our corporate culture where hacks of $200 - $1000 of points are simple "write off's" to them. As we move toward fewer online merchants and fewer hotel chains out there, these organizations get so big and so bloated that they find it cheaper to just write this stuff off instead of prevent it. And every write off just funds the hackers to grow in numbers and sophistication. You think that kid who gets a successful hit from a password database and wins a $200 gift card from Amazon is going to retire from hacking after that one successful attempt?
If you have any HHonors points, change your HHonors password to something you have not used on any other website in the last 6 months.
And Hilton either needs to end the Amazon partnership or limit the linking to only ONE Amazon account.
Hilton also needs to add a clickable email confirmation link when a new Amazon account has been linked or a currently linked account is removed.
There are tons of hacks of companies (Starwood for one) and huge databases of emails and passwords from those hacks out there that anyone can access or purchase and begin hacking away at other commonly used accounts that have an easy gain.
Hilton uses a username, not just the HHonors member number for logins, which is a flaw. Most people share usernames across platforms or use the beginning of their email address before the "@". So a database with emails addresses/logins and passwords is a very fertile area. Even better if the data is from another hotel site. And I would bet this way, and not keyloggers and theft from hotel wi-fi is the way 99% of the people on this forum are getting HHonors points hacked.
Hacking a Hilton Honors account has the most to gain because you can quickly link the points to burner Amazon account, buy a gift card and cash out in seconds. No trail to catch them compared to hacking a bank account since there has to be another account to receive the money.
Moreover, aware of this vulnerability, I linked my HHonors to my Amazon back in April so that it could not get linked to a burner Amazon account in such a manner. However, I found out today that one can link a single HHonors account to THREE different Amazon accounts. So if your one Amazon prime account is already linked for safety, even if you have no intention of using the points, it doesn't even help. Nobody has to delete that in order to spend HHonors points at another Amazon account.
It says a lot about our corporate culture where hacks of $200 - $1000 of points are simple "write off's" to them. As we move toward fewer online merchants and fewer hotel chains out there, these organizations get so big and so bloated that they find it cheaper to just write this stuff off instead of prevent it. And every write off just funds the hackers to grow in numbers and sophistication. You think that kid who gets a successful hit from a password database and wins a $200 gift card from Amazon is going to retire from hacking after that one successful attempt?
If you have any HHonors points, change your HHonors password to something you have not used on any other website in the last 6 months.
And Hilton either needs to end the Amazon partnership or limit the linking to only ONE Amazon account.
Hilton also needs to add a clickable email confirmation link when a new Amazon account has been linked or a currently linked account is removed.