pinion

Apparently the points stealing schemes are still going on. I received 2 emails yesterday from Hilton saying that my HHonors points had been redeemed through Amazon.com. I immediately logged into my Hilton account and I've gone from approx 268,000 down to 1000, so around 267,000 were stolen. No idea how this could have happened. Email stated to call Amazon if there is a problem with the transaction or if I was not the one who placed an order. It doesn't make sense that they say they cannot track down a transaction using my Hilton number as there has to be some kind of record of the points transfer from Hilton. I don't know if there are other sources I can contact to get this situation taken care of.

Called Amazon and was told that they have no record of the transaction taking place and there is no purchase using points in my history. They basically said there is nothing they can do except talk with Hilton to see if "this is a valid transaction" and that they would get back to me in a week or so. No guarantees that they will be able to find anything. Sounds like they are trying to blame Hilton.

Called Hilton to report the fraud. Hilton stated that they could see 2 separate transactions in my account. One for 114,500 and one for 134,000 (I know the math doesn't add up; who knows). Hilton said they would have to talk to Amazon "to determine if the points transfer was valid" and they would contact me "if there was anything they could do". Sounds like they are trying to blame Amazon. No guarantees that they will find anything.

I am a long time Hilton Honors member and Hilton credit cardholder. Very loyal to the brand as they have always treated me well during my stays. I've been a Prime member for many years as well. I'm not sure if this is an Amazon.com problem or a Hilton security problem. All passwords have been changed for both accounts and credit card. As a precaution, I removed all payment sources from both accounts as well.

Any advice is greatly appreciated. This really puts a burden on my travel expenses as I was using them to pay for stays while travelling for my business.

jerry a. laska

See these threads:
https://www.flyertalk.com/forum/hilt...nt-hacked.html
https://www.flyertalk.com/forum/28634172-post224.html
I read that you can use Hilton Points on Amazon?

Jerry Vandesic

It's likely a Hilton problem. Someone hacked into your HHonors account. They then set up a brand new Amazon account, and linked that Amazon account with your hacked HHonors account. They then bought some stuff on Amazon, and used your HHonors points to pay for the stuff. Amazon wouldn't have seen anything unusual on your Amazon account because your Amazon account wasn't used to steal your points.

pinion

Thanks for the info. What I really don't understand is why Amazon wouldn't have a way of looking up the points transfer by the Hilton number. It had to be used to retrieve the points from the Hilton system, so there had to be some type of traffic between the two accounts resulting in a record in the system somewhere. I just need ammo for the inevitable fight to get the points reinstated.

Does anyone have the number for the Hilton fraud dept? I have a case number, but have heard nothing (phone, email, etc) yet.

BearX220

The same thing happened to me. I had a robo-email from Hilton about a week ago saying "Welcome to Honors!" as if I were a new signup, which I thought was weird. Went to the site right away and changed my password, as I do every so often, and moved on. But: tried to log in again tonight, new password didn't work, and the password-reset page didn't recognize my email... I rang the customer service line and found a strange email is associated with my Honors number, I have one point available, and my 675k balance is gone -- redeemed to Amazon in three separate transactions sometime last week.

I never had a redemption notification or confirmation, nor a query as to whether the email change was legit. Normally you get an auto-email from Honors for any tiny change. In this case, crickets.

I got passed to fraud redemption and the rep said I would have my points reinstated within five business days, which is fine, but the vulnerability is spooky.

It might be worth adding that on the same evening I got that "Welcome to Honors" robo-email from Hilton, I had a robo-email from Flyertalk.com: "You have requested to reset your password on FlyerTalk Forums because you have forgotten your password. If you did not request this, please ignore it." This was not the case, I made no such request, but someone was sniffing around my profile in multi environments. For the record my FT password was of course not identical to my Honors password, and both are now changed again anyway.

rrgg

It seems like a preventative strategy is to link my HHonors account to Amazon even if I never want to use points there. At least if I've linked it, someone else can't link it. If anyone tries this, be sure to uncheck a box which says to pay with points automatically.

Edited to add: After linking Hilton sent me a direct email, "Your Hilton Honors Account is now linked to Amazon.com."

rcmiller

As a side note, I logged in to my Honors account to change my password since it has been a little bit (no stolen points, just precaution)... click on the "change password" link and I get a "Not Found" error message web page. Several of the other links do the same thing. Hilton's new website is just terrible..

rrgg

I had the same error but it worked after waiting a few minutes.

asdfghjk

What happen if someone tries to relink it to a different Amazon account? Do you get notified when that happens? Thanks.

Edit: According to Hilton, you can link up to 3 Amazon accounts to your Hilton account. So this wouldn't help.

rrgg

Thanks for posting this. I had no idea. Now I have to link to 3 accounts to make this work!

To answer your question, I don't know for sure, but the first link generated email from both Hilton and Amazon. I assume that will happen on the second link too.

fastflyer

It sounds like some of the hacked posters, above, have some kind of keystroke tracker malware on one of their devices. Older operating systems are extremely vulnerable to keystroke trackers.

Never change a password using an old computer.

Another trick -- if you must use an older OS or are in an insecure location needing a password reset -- type part of the password, then use backspaces, then type more of the password (do this multiple times within the passport field). This helps to confound the tracker malware.

serpens

Do keystroke loggers only track printing characters? If it captured every keystroke, it seems like the strategy of using a backspace would not work.

What about typing, say, the start and the end of the password, then clicking to put the insertion point in the middle of the password and typing the rest of the password? Would a keystroke logger capture such a mouse action?

sbiddle

Keystroke loggers aren't the problem. People using the same password on every website is.

If you don't have strong unique passwords on every website you visit it's not a case of if you'll be hacked , but when.

Tomphot

vitorborg