HHonors Points Stolen Through Amazon.com

Old Aug 9, 19, 6:11 pm
  #136  
 
Join Date: Oct 2000
Location: Seattle WA, USA
Programs: Hilton Diamond, Marriott Titan, AS MVPG&AL, others no status
Posts: 3,388
Originally Posted by smithrh View Post
Update - called the Diamond Desk to make a reservation today and they did use 2FA while on the call, and is was very quick.
Thanks for the data point. It's encouraging. I did an award reservation yesterday online and it did not trigger the 2FA. So maybe, at least for now, it's only for use when we call in.
Westcoaster is offline  
Old Aug 15, 19, 2:05 pm
  #137  
 
Join Date: Jun 2017
Programs: DL: DM UA: 1K
Posts: 27
Finally, my points were returned today. It took 17 days after the report. The e-mail from Hilton recommended me to set up 2FA. I didn't see that option in my profile in the past, but that option appeared today.
kazuyuki330 is offline  
Old Aug 19, 19, 2:05 pm
  #138  
DFB
 
Join Date: Aug 2019
Posts: 1
Hilton Honors points stolen

Originally Posted by pinion View Post
Apparently the points stealing schemes are still going on. I received 2 emails yesterday from Hilton saying that my HHonors points had been redeemed through Amazon.com. I immediately logged into my Hilton account and I've gone from approx 268,000 down to 1000, so around 267,000 were stolen. No idea how this could have happened. Email stated to call Amazon if there is a problem with the transaction or if I was not the one who placed an order. It doesn't make sense that they say they cannot track down a transaction using my Hilton number as there has to be some kind of record of the points transfer from Hilton. I don't know if there are other sources I can contact to get this situation taken care of.

Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.

Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.

I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.

Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.
Same happened to me. Obviously somebody hacked in Hiltonís systems. My personal and credit card information exposed. I had to warn Hilton instead of them warning me. And then I had to follow up for two months as they refused to look into my case. The fraud department is useless. I still have problems with my points even though most of them were added back. And btw, no compensation for this tremendous breach of trust from Hilton...
DFB is offline  
Old Aug 19, 19, 3:19 pm
  #139  
 
Join Date: Jun 2012
Location: Michigan
Programs: DL PM
Posts: 768
Regarding the dual factor authentication sub-topic of this thread, I signed up for DFA a while back and have not been prompted to use it any time I've logged into my account. But, yesterday I called to book a night with an AMEX weekend certificate and needed the DFA for the redemption. It was awkward because the SMS didn't send right away so the agent went on hold a couple times and came back an asked me if I received it. Took a few minutes but the code did finally come through.

It seems kind of pointless to use the DFA when you call in for a redemption since they verify your e-mail address and phone number when you call in regardless, but at least it seems like it may be triggered for a points redemption even if it is not triggered when you log in. I haven't tested this with an online points redemption yet, though.
mudpuppy is offline  
Old Aug 19, 19, 10:40 pm
  #140  
FlyerTalk Evangelist
 
Join Date: Jan 2005
Location: home = LAX
Posts: 23,864
Question is DFA online only for non-hotel redemptions?

Someone posted in another thread the other day that some time back (a year or two ago?) Hilton advised them to set up something like dual-factor authentication (DFA) that would kick in if a redemption other than for a hotel was tried.

When looking a recent posts,,I see people saying things like they tried it for an online hotel redemption and it didn't kick in. Well, did anyone who set up DFA try it for a non-hotel redemption of any kind?

Hackers are less likely to book a hotel in your name, more likely to try to redeem for gift cards, store purchases, and stuff like that. So it'd be useful and yet convenient IMHO if DFA didn't apply to hotel redemptions but did apply to other kinds of redemptions that hackers prefer. But is that how it works?
sdsearch is offline  
Old Aug 20, 19, 11:43 am
  #141  
 
Join Date: Aug 2002
Location: NYC
Posts: 159
That would be fine, except right there's nothing keeping someone from deactivating 2FA on your Hilton account without you being notified.

For example, I just:

1) logged into my Hilton account
- was not asked for 2FA to log in

2) went to the profile page and deactivated 2FA
- was not asked for 2FA to deactivate it
- was not notified by text or email that 2FA had been deactivated.
MoodyB likes this.
Petdog is offline  
Old Aug 21, 19, 4:46 pm
  #142  
 
Join Date: May 2007
Location: Seattle area
Programs: Peasant at large
Posts: 567
Originally Posted by smithrh View Post
Update - called the Diamond Desk to make a reservation today and they did use 2FA while on the call, and is was very quick.
Was it triggered by the agent after the conversation had started or did it trigger before being connected to the agent? If it's the former, it sounds like it's a human initiated action since I called the regular desk for a reservation last week and 2FA was not triggered. That makes 2FA largely useless in the most common attack vector: online account breach. Also, triggering for a room reservation seems pretty low down the list of risky events.

Maybe this is one of Hilton's lifetime experiences thingy. Exchange a few hundred thousand HH points for a security theater + reality show starring 2FA and YOU!!!
crunchie is offline  
Old Aug 27, 19, 9:35 am
  #143  
 
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
Just experienced this for the first time this past Sunday. I had 300,000 stolen from my Honors account. I spoke with the Diamond Desk Sunday morning and they assured me I would have a new account with the points reinstated within 5 days. I have a few questions for those who have experienced this:

- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?

Thanks for any help/feedback.
Gundy1990 is offline  
Old Aug 27, 19, 12:10 pm
  #144  
 
Join Date: Jul 2017
Location: Ohio
Programs: Hilton Diamond, Hyatt Discoverist, Marriott Gold, Dirt Elsewhere
Posts: 81
Originally Posted by Gundy1990 View Post
Just experienced this for the first time this past Sunday. I had 300,000 stolen from my Honors account. I spoke with the Diamond Desk Sunday morning and they assured me I would have a new account with the points reinstated within 5 days. I have a few questions for those who have experienced this:

- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?

Thanks for any help/feedback.
These are very good questions and I would like to add one more to the mix. For anyone who received a new Honors account after a fraud issue, was the entirety of lifetime base points/nights/stays transferred to the new account? This is important to anyone seeking lifetime Diamond status. I can imagine how frustrating it would be to have earned 990 lifetime nights when fraud strikes, only to embark on a new battle with Hilton using a new account number that hasnít imported all the data from the previous account!
Hotel Points Guy is offline  
Old Aug 27, 19, 12:25 pm
  #145  
 
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
Originally Posted by Hotel Points Guy View Post


These are very good questions and I would like to add one more to the mix. For anyone who received a new Honors account after a fraud issue, was the entirety of lifetime base points/nights/stays transferred to the new account? This is important to anyone seeking lifetime Diamond status. I can imagine how frustrating it would be to have earned 990 lifetime nights when fraud strikes, only to embark on a new battle with Hilton using a new account number that hasnít imported all the data from the previous account!
Thank you. This is one that I didn't even consider that I will be sure to inquire to the Diamond desk about after I get things sorted out with 'HH Fraud Protection'. Generally speaking, my experiences with the Diamond Desk and Hilton customer service are generally positive. The frustrating thing about this is there's no way to communicate with Fraud Protection via a phone call. This is a time where it would really be refreshing to talk to someone and ask questions to better protect myself in the future. That being said, as others have suggested, I don't believe this to be the fault of the consumer for not changing their password frequently enough.

Thanks for sharing. This is another good point that I will inquire to the Diamond Desk about after sorting things out with Fraud Protection. My experiences with the Diamond Desk and Hilton customer service have generally been positive. It's a shame there isn't a way to communicate with HH Fraud Protection via phone because now would really be a good time to speak with someone to ask questions to better protect myself in the future and try to figure out how this is happening.

Last edited by Canarsie; Aug 28, 19 at 10:50 am Reason: Consolidation.
Gundy1990 is offline  
Old Aug 27, 19, 3:52 pm
  #146  
 
Join Date: Feb 2017
Posts: 412
Originally Posted by sbiddle View Post
There isn't a lot Hilton can do if people are being compromised (and it's clear at least some of the attacks are a direct result of this) because they're stupid enough to use the same password across multiple websites or services on the Internet.
Originally Posted by sbiddle View Post
It's basic security - you NEED to be using strong, unique passwords across EVERY website and service you visit. If you use the same password it's not a case of IF you'll be hacked, but WHEN.
Have unique strong passwords and a password manager and the Internet would be a much safer place for everybody. If you use the same password across multiple sites and your password(s) are currently on haveibeenpwned your chances of being compromised are significantly escalated.


I don't have a single password, but I've got ~30 different password protected accounts. Many of them share the same username and password or a variant. Many are accessed daily; some are accessed very sporadically. It would be nice to have a simple life where one only has a few password protected accounts so that you can use unique usernames and UNIQUE STRONG passwords on each of them. Most of us don't have such a simple life.
I haven't been hacked ... yet. I will continue to do this until I get hacked.
Note that most accounts don't allow you to change the username.

And I'd say that the problem isn't people using the same password, it's not having 2FA on accounts. The problem isn't the end user, it's the company that doesn't secure their customer accounts.

Originally Posted by Janepod View Post
My points were stolen on July 19, at which time I was told I'd have them back in 24-48 hours. I then received an email saying 7-10 business days. Today I called to check up on what's going on (still no points!) and was told it would take about 30 days because the FBI and Interpol are working the case and cannot reinstate the points until their investigation of "all the relevant IP addresses" is complete. So thorough! Interpol, even! Maybe they will get James Bond and Jack Reacher on the case!
It's good to hear that they're pursuing some of these cases.

Last edited by Canarsie; Aug 28, 19 at 10:51 am Reason: Consolidation.
itsallgood is offline  
Old Aug 29, 19, 9:54 am
  #147  
 
Join Date: Aug 2019
Location: Philadelphia, PA
Programs: Hilton Diamond. AA Platinum.
Posts: 3
Originally Posted by Gundy1990 View Post
- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?
Hi, all. I just wanted to check back in and provide a follow-up for anyone who's interested. I woke up with an email from HHFraudProtection that was sent at 2:02 AM EST. The email states that my 300K points would be reimbursed to my account with 24-48 hours, however, the points were already reinstated when I checked my account. The email said "Please be assured this activity does not have any bearing on the integrity of our systems". This clearly doesn't seem to be the case though, considering this is an ongoing issue faced by many Honors members. So to sum things up, I reached out to the Diamond Desk on Sunday, 8/25 and had my points back first thing on Thursday, 8/29. My experience was mostly positive for the exception that Fraud Proection had 0 interest in giving me any insight on how this is happening. I will now answer my own questions from my previous post quoted above.

- This is still unclear. I'm still getting a lot of spam emails - far more than ever before, however, I have them filtered in my gmail account so it isn't too much of a disturbance.
- I did not receive a new HHonors number. I'm not sure what to think of this since it seems others who faced the same issue were given a new one. I'm happy I didn't because I didn't want to lose my stay history and I'm not sure that getting a new account would have taken any further measures to stop the hacks. Previously, I had a password unique to my Hilton account and I created a new password unique to only my Hilton account. I have 2 factor authentication activated like before, however, I don't think this feature works properly. It's my understanding that I'm supposed to receive a verification text upon logging in, but I still don't.
- My HHonors number is once again linked to my AmEx account.
- Since my HHonors account did not change, neither did my total stays/nights count.

I'll continue to post in this thread should I encounter any new experiences.
Gundy1990 is offline  
Old Sep 9, 19, 12:49 am
  #148  
 
Join Date: Sep 2019
Programs: Hilton Honors
Posts: 1
Add me to the list of Hilton Honors members having their points stolen. I've read the thread and it went exactly as stated. Email linking account to Amazon and subsequent emails with transaction notifications. I've contacted Hilton and had my account suspended. I'll be waiting to hear from the fraud team and hopefully the just over 104,000 points will be reinstated.

I found this forum through a google search so thanks to everyone for your discussion of the issue.
SportsMan17 is offline  
Old Sep 17, 19, 9:33 am
  #149  
 
Join Date: May 2011
Location: CMH
Programs: AS MVPG; IHG/Marriott/BW Plat; Hilton Dia; Radisson Gold; Hertz Prez (OK, some are +1's)
Posts: 559
2FA Compatible with AW?

I assume enabling 2FA will not hamper Award Wallet updates.
rxgeek is offline  

Thread Tools
Search this Thread