FlyBitcoin

Also, when an Amazon account gets linked, or when points are spent, you get this single image email with a single clickable link embedded in the entire image. Yes there is also an image footer that is blurry and looks like scam as well. What is to stop a phisher from taking this image and linking it to a site to steal your password. This image is so bad, it looked like a phishing attempt to me, yet in my case, it was real.

For Hilton IT to not know that an email with both image and text that mentions your name and account number somewhere to know it was generated by corporate is ridiculous.
For Hilton IT to not carry forward more data from the Amazon purchase or the number of points that were redeemed in the body of an email like this is also ridiculous.

smmrfld

No recent reports of hacks. Were you a victim within the past couple of months or are your warnings based on older DPs?

FlyBitcoin

Someone added a second Amazon account to my HHonors account and drained the points 24 hours ago. It is STILL going on.

Hilton has replaced the points already, but they need to fix the problem.

mightyducksman

I had my account liquidated via amazon - 400k points - on 1/17. I've emailed the fraud email 7 times with no reply or indication of action as my balance remains 4 points. I've spoken to the diamond desk 3 times, who will only "open a ticket" for escalation. They say they cannot do anything else. They gave me a nonworking number for "Hilton corporate headquarters", which I then googled the correct number and called with no answer.

Does anyone have any other methods by which they could reach someone who would do anything? I don't see anything scanning through the thread. I wonder if the fraud department is one person who's on extended holiday?

FlyBitcoin

I called the HHonors line and they transferred me to fraud who took it from there.
I did call them within hours after the points were taken, so not sure if that made a difference.

If they just say open a ticket, call during regular weekday business hours and ask to speak to the "Fraud" department.

smmrfld

Why would anyone still have their accounts linked or use the same password after the numerous fraud incidents reported over many months. SMH.

FlyBitcoin

Ahhh, it's not that simple.
What you should be asking is, "why would anyone have their HHonors username and password match anything they have ever used anywhere else". There are names and password lists from hacks available out there for pennies. Remember Starwood? Lots of people share their passwords between hotel accounts. That and other hacked data is out there. Dig around and you will find your name, common usernames you have used, and at least one password you have used since 2010.

They don't steal the points by breaking into your amazon account. They steal the points by breaking into your HHonors account, linking it to a dummy amazon account with a fake address and a burner email. They link your HHonors account with their burner amazon account. They buy gift cards with electronic delivery that can be easily resold on secondary market . Enough to drain your points. Thief remains anonymous since there is nothing physical to be delivered.

One poster here suggested linking your HHonors account to your own Amazon account so that it cannot get linked to another amazon account if HHonors is compromised. Well that didn't work because Hilton and Amazon added this "perk" that one HHonors account can be linked to up to 3 DIFFERENT AMAZON ACCOUNTS !?!? Who the heck has 3 amazon accounts?
Therefore, if you can hack into a HHonors account, and that account is not linked to 3 amazon accounts already, then you can drain the points anonymously in a few minutes.

HHonors needs to reduce the linking capability to one amazon account and hopefully offer 2FA soon.

smmrfld

That should go without saying.

mightyducksman

Thank you for this helpful comment. I appreciate your advice. How could I think my job and family were more important than looking for possible fraud stories related to frequent traveler accounts? I'll get my ducks in a row now.

rrgg

Unlinking your account wouldn't stop this.

smmrfld

Smart move...that should serve you well.

Crazyhotelguy

Did anyone else receive an email overnight from at least one the alleged perps in this crime? It is a letter asking forgiveness and gives an email..... seems a bit fishy to me, but I found it interesting th as t it came to the origin as l email the account was in when it occured. Naturally I changed the email and pw at that time.

just curios as there is a name and email attached to the email that one could "respond" to.