Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

HHonors Points Stolen Through Amazon.com

HHonors Points Stolen Through Amazon.com

Old Apr 10, 19, 6:03 pm
  #1  
Original Poster
 
Join Date: Nov 2007
Posts: 28
Angry HHonors Points Stolen Through Amazon.com

Apparently the points stealing schemes are still going on. I received 2 emails yesterday from Hilton saying that my HHonors points had been redeemed through Amazon.com. I immediately logged into my Hilton account and I've gone from approx 268,000 down to 1000, so around 267,000 were stolen. No idea how this could have happened. Email stated to call Amazon if there is a problem with the transaction or if I was not the one who placed an order. It doesn't make sense that they say they cannot track down a transaction using my Hilton number as there has to be some kind of record of the points transfer from Hilton. I don't know if there are other sources I can contact to get this situation taken care of.

Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.

Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.

I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.

Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.
pinion is offline  
Old Apr 10, 19, 8:13 pm
  #2  
FlyerTalk Evangelist
 
Join Date: Oct 1999
Location: Juneau, Alaska.
Programs: AS 75K; BA Gold
Posts: 13,472
See these threads:
Hilton Account Hacked
https://www.flyertalk.com/forum/28634172-post224.html
I read that you can use Hilton Points on Amazon?
jerry a. laska is offline  
Old Apr 10, 19, 8:35 pm
  #3  
 
Join Date: Nov 2010
Programs: Hilton Diamond + Marriott Gold
Posts: 65
Originally Posted by pinion View Post
I'm not sure if this is an Amazon.com problem or a Hilton security problem.
It's likely a Hilton problem. Someone hacked into your HHonors account. They then set up a brand new Amazon account, and linked that Amazon account with your hacked HHonors account. They then bought some stuff on Amazon, and used your HHonors points to pay for the stuff. Amazon wouldn't have seen anything unusual on your Amazon account because your Amazon account wasn't used to steal your points.
Jerry Vandesic is offline  
Old Apr 11, 19, 6:51 pm
  #4  
Original Poster
 
Join Date: Nov 2007
Posts: 28
Thanks for the info. What I really don't understand is why Amazon wouldn't have a way of looking up the points transfer by the Hilton number. It had to be used to retrieve the points from the Hilton system, so there had to be some type of traffic between the two accounts resulting in a record in the system somewhere. I just need ammo for the inevitable fight to get the points reinstated.

Does anyone have the number for the Hilton fraud dept? I have a case number, but have heard nothing (phone, email, etc) yet.
pinion is offline  
Old Apr 14, 19, 10:08 pm
  #5  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Location: ORD/MDW
Programs: BA/AA/AS/B6/WN/ UA/HH/MR and more like 'em but most felicitously & importantly MUCCI
Posts: 19,109
The same thing happened to me. I had a robo-email from Hilton about a week ago saying "Welcome to Honors!" as if I were a new signup, which I thought was weird. Went to the site right away and changed my password, as I do every so often, and moved on. But: tried to log in again tonight, new password didn't work, and the password-reset page didn't recognize my email... I rang the customer service line and found a strange email is associated with my Honors number, I have one point available, and my 675k balance is gone -- redeemed to Amazon in three separate transactions sometime last week.

I never had a redemption notification or confirmation, nor a query as to whether the email change was legit. Normally you get an auto-email from Honors for any tiny change. In this case, crickets.

I got passed to fraud redemption and the rep said I would have my points reinstated within five business days, which is fine, but the vulnerability is spooky.

It might be worth adding that on the same evening I got that "Welcome to Honors" robo-email from Hilton, I had a robo-email from Flyertalk.com: "You have requested to reset your password on FlyerTalk Forums because you have forgotten your password. If you did not request this, please ignore it." This was not the case, I made no such request, but someone was sniffing around my profile in multi environments. For the record my FT password was of course not identical to my Honors password, and both are now changed again anyway.

Last edited by BearX220; Apr 15, 19 at 7:20 am Reason: Repair typo
BearX220 is offline  
Old Apr 19, 19, 7:50 am
  #6  
 
Join Date: Dec 2004
Posts: 7,089
It seems like a preventative strategy is to link my HHonors account to Amazon even if I never want to use points there. At least if I've linked it, someone else can't link it. If anyone tries this, be sure to uncheck a box which says to pay with points automatically.

Edited to add: After linking Hilton sent me a direct email, "Your Hilton Honors Account is now linked to Amazon.com."
JDiver and strickerj like this.

Last edited by rrgg; Apr 19, 19 at 8:06 am
rrgg is offline  
Old Apr 19, 19, 9:12 am
  #7  
 
Join Date: Nov 2018
Location: Between MGM & ATL
Programs: Hilton, SkyMiles, Hertz
Posts: 64
As a side note, I logged in to my Honors account to change my password since it has been a little bit (no stolen points, just precaution)... click on the "change password" link and I get a "Not Found" error message web page. Several of the other links do the same thing. Hilton's new website is just terrible..
rcmiller is offline  
Old Apr 19, 19, 9:22 am
  #8  
 
Join Date: Dec 2004
Posts: 7,089
I had the same error but it worked after waiting a few minutes.
rrgg is offline  
Old Apr 19, 19, 9:40 am
  #9  
 
Join Date: Aug 2012
Posts: 398
Originally Posted by rrgg View Post
It seems like a preventative strategy is to link my HHonors account to Amazon even if I never want to use points there. At least if I've linked it, someone else can't link it. If anyone tries this, be sure to uncheck a box which says to pay with points automatically.

Edited to add: After linking Hilton sent me a direct email, "Your Hilton Honors Account is now linked to Amazon.com."
What happen if someone tries to relink it to a different Amazon account? Do you get notified when that happens? Thanks.

Edit: According to Hilton, you can link up to 3 Amazon accounts to your Hilton account. So this wouldn't help.
BearX220, Buck30 and FlyBitcoin like this.

Last edited by asdfghjk; Apr 19, 19 at 9:50 am
asdfghjk is offline  
Old Apr 19, 19, 12:37 pm
  #10  
 
Join Date: Dec 2004
Posts: 7,089
Originally Posted by asdfghjk View Post
What happen if someone tries to relink it to a different Amazon account? Do you get notified when that happens? Thanks.

Edit: According to Hilton, you can link up to 3 Amazon accounts to your Hilton account. So this wouldn't help.
Thanks for posting this. I had no idea. Now I have to link to 3 accounts to make this work!

To answer your question, I don't know for sure, but the first link generated email from both Hilton and Amazon. I assume that will happen on the second link too.
rrgg is offline  
Old Apr 19, 19, 3:01 pm
  #11  
 
Join Date: Apr 2000
Location: Palm Beach/ New England
Programs: AA EXP 3MM, DL GM, Marriott Platinum
Posts: 3,984
It sounds like some of the hacked posters, above, have some kind of keystroke tracker malware on one of their devices. Older operating systems are extremely vulnerable to keystroke trackers.

Never change a password using an old computer.

Another trick -- if you must use an older OS or are in an insecure location needing a password reset -- type part of the password, then use backspaces, then type more of the password (do this multiple times within the passport field). This helps to confound the tracker malware.

Last edited by Canarsie; May 2, 19 at 4:13 am Reason: Consolidation.
fastflyer is offline  
Old Apr 19, 19, 4:06 pm
  #12  
 
Join Date: Sep 2015
Location: flyover country
Posts: 1,246
Originally Posted by fastflyer View Post
Another trick -- if you must use an older OS or are in an insecure location needing a password reset -- type part of the password, then use backspaces, then type more of the password (do this multiple times within the passport field). This helps to confound the tracker malware.
Do keystroke loggers only track printing characters? If it captured every keystroke, it seems like the strategy of using a backspace would not work.

What about typing, say, the start and the end of the password, then clicking to put the insertion point in the middle of the password and typing the rest of the password? Would a keystroke logger capture such a mouse action?
serpens is offline  
Old Apr 20, 19, 3:12 pm
  #13  
 
Join Date: Apr 2013
Location: New Zealand (most of the time)
Programs: NZ Elite *G, HHonors Diamond, IHG Platinum Elite
Posts: 4,969
Keystroke loggers aren't the problem. People using the same password on every website is.

If you don't have strong unique passwords on every website you visit it's not a case of if you'll be hacked , but when.
Dunbar, wrp96 and jtc246 like this.
sbiddle is offline  
Old Apr 20, 19, 4:42 pm
  #14  
 
Join Date: Jan 2000
Location: ATL - DL DM/3MM - HH Lifetime Diamond - Marriott Plat
Posts: 3,090
I recently had an email from Hilton saying I had changed my email address. I tried logging into my account and wasn’t recognized. I called Hilton and they switched everything back at which time I changed password. All this happened within 10 minutes and luckily no points were drained.
akr1970akr likes this.
Tomphot is offline  
Old Apr 22, 19, 12:15 am
  #15  
 
Join Date: Jul 2011
Programs: JJ *Silver
Posts: 4
I also had just short of 80,000 Hilton Honors points redeemed through an illegitimate Amazon transaction last week and rang the Diamond desk as soon as I became aware of the issue. Interestingly, the timeline of Hilton communications was rather odd. The monthly Hilton account statement sent to me before the other Hilton/Amazon emails several hours earlier already captured the fact that the points were gone. I then received an Amazon/Hilton redemption email about 3 hours before the email saying that my Amazon and Hilton accounts were “now linked”. Given the public holidays, I am still to hear back from the HH fraud team or have my points reinstated, but the Diamond desk agent was upset at Amazon and implied that Amazon’s IT systems were like a faulty sieve, allowing everything to go through...
BearX220 likes this.
vitorborg is offline  

Thread Tools
Search this Thread
Search Engine: