Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

HHonors Points Stolen Through Amazon.com

HHonors Points Stolen Through Amazon.com

Old Apr 25, 19, 1:51 pm
  #16  
 
Join Date: Feb 2000
Location: Columbia, SC
Programs: a little here, a little there
Posts: 1,279
You know it's also interesting that a few posts away from this one is a thread that asks people how many Hhonors points you have... that's one bit of data that could help hackers target people with large balances.

At any rate, y'all just motivated me to go change my Hilton password to something that I haven't used anywhere else.
johnndor is offline  
Old Apr 27, 19, 9:46 am
  #17  
 
Join Date: Dec 2011
Posts: 92
Once you link your account to amazon, would the fraudsters still be able to re-link it to a new amazon acct?
funkydory is offline  
Old Apr 28, 19, 9:55 am
  #18  
 
Join Date: Dec 2016
Posts: 4
I received an email Saturday to say my points have been used to make an Amazon purchase - signed into HH - all gone !! The FOLLOWING day I received another saying I had linked my account followed a couple of hours later by another email saying I have unlinked it !! None of which I have done.

Have emailed HH but nothing back yet - interestingly they appear to have updated the email to say if this wasn't you contact Amazon !!

If I don't get the points restored then the HH accounts gets closed and so does my business with the Hilton Brand

(Can't even change my password as its saying its invalid yet seconds earlier clearly it was ok as I signed onto it - the feedback tab doesn't work and all the links in 'preferences' return 'Not Found' - looks like the website is a work in progress by a 12 year old !
strickerj likes this.
Gratters is offline  
Old Apr 28, 19, 10:46 am
  #19  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,109
EDIT / 29 April: Hilton reached out to me 15 days after the breach came to my attention and resolved the question to my satisfaction. I have to say that once service recovery kicked in, it was personal, clear, and effective. The only downside is, I have to commit a new Honors account number to memory.

Original post (partial):

Update to say it's now been two weeks since hackers emptied my account, the Honors rep promised resolution within five business days, but nothing has happened. A second call to Honors yielded nothing (rep conceded she has taken multi calls from Amazon fraud victims). Polite email at midweek to the Hilton fraud desk has gone unanswered.

Last edited by BearX220; Apr 29, 19 at 12:52 pm
BearX220 is offline  
Old Apr 28, 19, 1:43 pm
  #20  
 
Join Date: Nov 2011
Location: NYC
Programs: HH Diamond, Hyatt Globalist
Posts: 436
Originally Posted by BearX220 View Post

Have any bloggers drawn attention to this situation?
https://thepointsguy.com/news/hilton...ned-of-points/

https://loyaltylobby.com/2019/04/19/...ts-via-amazon/

I'm still baffled as to how the point drainage happens to HH accounts that are not linked to Amazon.
Cat88L3 is online now  
Old Apr 28, 19, 2:16 pm
  #21  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,109
Deleted as my issue has now been very effectively addressed by Hilton.

Last edited by BearX220; Apr 29, 19 at 12:53 pm
BearX220 is offline  
Old Apr 29, 19, 10:26 am
  #22  
 
Join Date: Dec 2016
Posts: 4
I have forwarded on the issue to the UK national papers - see if there's an interest there
Gratters is offline  
Old Apr 29, 19, 12:38 pm
  #23  
 
Join Date: Dec 2016
Posts: 4
Just an update I just contacted Amazon and they are very adamant the problem is Hiltons and there's nothing for them to do. (I guess logical given its the Hilton accounts that have been hacked). They also confirmed they are aware of the scam.
Gratters is offline  
Old Apr 29, 19, 1:02 pm
  #24  
FlyerTalk Evangelist
 
Join Date: Jul 2001
Location: Phoenix, AZ
Programs: HH Gold, AA Gold
Posts: 10,142
It seems like either Hilton and/or Amazon should temporarily shut down the ability to redeem Hilton points on Amazon until such breach is fixed. I understand Amazon's position since Hilton has all the account information and can verify that they are talking to the correct person. Hilton certainly has to start the investigation from their end, but you would think Amazon would want to try to stop the shipments as quickly as possible.
formeraa is online now  
Old Apr 29, 19, 2:04 pm
  #25  
FlyerTalk Evangelist
 
Join Date: Sep 2002
Location: IND
Programs: DL DM & 2MMô, Lifetime HHonors Diamond, Cholula General Member
Posts: 20,278
Originally Posted by formeraa View Post
Hilton certainly has to start the investigation from their end, but you would think Amazon would want to try to stop the shipments as quickly as possible.
Heaven forbid they turn it over the police for prosecution for those receiving the packages.
indufan is offline  
Old Apr 30, 19, 6:46 am
  #26  
 
Join Date: Feb 2009
Location: Lincs, UK
Programs: ICH Spire/Amb HH Dia, LCAH Plat, Marriot/SPG Gold, Hertz PC
Posts: 772
Originally Posted by johnndor View Post
You know it's also interesting that a few posts away from this one is a thread that asks people how many Hhonors points you have... that's one bit of data that could help hackers target people with large balances.

At any rate, y'all just motivated me to go change my Hilton password to something that I haven't used anywhere else.
I came here to say just that.

2/3mil HH points isn't unusual here, but it's unusual across the entire population.
So what could be easier than having people do the work for you in idenfiying themselves as high risk targets.

For bonus points, those insane enough to use the same username here as with HH are disproportinately more likely to be daft enough to use the same password either betwee FT/HH or anywhere else on the internet and HH.

Come on people, this is like vaccinations, if we want this sort of thing to stop it has to stop being profitable. If we each improve our security we *all* improvie our security. Get onto haveibeenpwned.com and if you see yourself on there, then understand: You are in the queue to be compromised. When, not if. The only reason it hasn't happened already is that it's a big queue.

/rant
BearX220 and dgreen12 like this.
jimthehorsegod is offline  
Old Apr 30, 19, 7:55 am
  #27  
 
Join Date: Sep 2015
Location: flyover country
Posts: 1,246
Originally Posted by jimthehorsegod View Post
For bonus points, those insane enough to use the same username here as with HH are disproportinately more likely to be daft enough to use the same password either betwee FT/HH or anywhere else on the internet and HH.
Agreed.

Originally Posted by jimthehorsegod View Post
Come on people, this is like vaccinations, if we want this sort of thing to stop it has to stop being profitable. If we each improve our security we *all* improvie our security.
Well, yes. But another point of view is that there will always be bad actors looking for low hanging fruit.
serpens is offline  
Old Apr 30, 19, 8:18 am
  #28  
 
Join Date: Sep 2012
Posts: 16
Originally Posted by pinion View Post
Apparently the points stealing schemes are still going on. I received 2 emails yesterday from Hilton saying that my HHonors points had been redeemed through Amazon.com. I immediately logged into my Hilton account and I've gone from approx 268,000 down to 1000, so around 267,000 were stolen. No idea how this could have happened. Email stated to call Amazon if there is a problem with the transaction or if I was not the one who placed an order. It doesn't make sense that they say they cannot track down a transaction using my Hilton number as there has to be some kind of record of the points transfer from Hilton. I don't know if there are other sources I can contact to get this situation taken care of.

Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.

Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.

I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.

Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.
The problem is also in part contributed by Hilton - when they mail the Monthly Statement balance - The emails clearly show Full Poin Balance (which is OK) - but they also show the FULL Account Number (Unlike UA or other Hotels where they mask your account number and show only last 3 or 4 digits)

I have send multiple emails to Hilton Management stating they should MASK the Account numbers when emailing statements - Nothing done/no acknowledgement

On the other Hand Marriott will mask the A/C number in monthly emails and show only few last digits
BearX220 and birdiedouble like this.
ubrahme is offline  
Old Apr 30, 19, 9:35 am
  #29  
 
Join Date: Oct 2012
Posts: 7
Originally Posted by sbiddle View Post
Keystroke loggers aren't the problem. People using the same password on every website is.

If you don't have strong unique passwords on every website you visit it's not a case of if you'll be hacked , but when.
This usually. If you have an username/password combo that is on another site that has been compromised, hackers or w/e you want to call them, will then use that same username/password combo across the web in an attempt to get access to all your accounts. It's best to not reuse passwords.

I would recommend anyone that hasn't changed their password in awhile change it.
jdclover is offline  
Old Apr 30, 19, 9:48 am
  #30  
FlyerTalk Evangelist
 
Join Date: Apr 2001
Location: NYC
Posts: 24,252
Originally Posted by jimthehorsegod View Post
Come on people, this is like vaccinations, if we want this sort of thing to stop it has to stop being profitable. If we each improve our security we *all* improvie our security.
I was reading the other day about how much phone scammers/spoofers have generated in revenues recently -- in the billions! And IIRC, it surprisingly wasn't from the elderly, it was from millennials. I just can't fathom how many people must be getting duped by the scams, but then again, ~half this country is inordinately stupid.
ijgordon is offline  

Thread Tools
Search this Thread
Search Engine: