IHG Account hacked - Points redeemed for Amazon gift certs.

Old Feb 19, 18, 9:38 am
  #1  
Original Poster
 
Join Date: Feb 2014
Posts: 10
Angry IHG Account hacked - Points redeemed for Amazon gift certs.

I just logged into my wife's IHG account to use her free night certificate and noticed that almost all of her 90k points had been redeemed 2 days ago. I called up IHG and they said they were used to redeem amazon gift certificates. I told them it wasn't her and they are investigating. My wife didn't receive any sort of email confirmation of the activity, I'm lucky I logged in and noticed the activity or else I wouldn't have known it was happening. I also checked her amazon and the points were not redeemed on her account so her amazon wasn't hacked. I read that IHG had been hacked at the end of last year and also their PIN system makes hacking somewhat easy. This is an FYI - you may want to check on your accounts to make sure they are good.
cjchaps is offline  
Old Feb 19, 18, 10:33 am
  #2  
A FlyerTalk Posting Legend
 
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 48,051
Also - A word to the wise. Have your wife check her account and then have her make the call.

As soon as you call, admitting that you had access to the account, you have violated the terms and conditions of the account and put the recovery at risk. Not suggesting that will happen here, but your call raises the question of who else has access to the account.
Often1 is offline  
Old Feb 20, 18, 4:06 am
  #3  
 
Join Date: Jan 2018
Posts: 11
It's quite unbelievable that IHG still uses a 4-digit PIN system. Even the most inane sites seem to have better password security...
inkling is offline  
Old Feb 20, 18, 12:40 pm
  #4  
 
Join Date: Feb 2012
Programs: Priority Club
Posts: 97
Originally Posted by inkling View Post
It's quite unbelievable that IHG still uses a 4-digit PIN system. Even the most inane sites seem to have better password security...
I can remember my PC Number by heart - would be happy with a 9 digit PIN or even one with letters in
UKDegsy is offline  
Old Mar 14, 18, 12:53 pm
  #5  
Original Poster
 
Join Date: Feb 2014
Posts: 10
IHG finally got back to us and reinstated all the points, and then gave us a new PIN.. Oh well, I'll probably add my account to awards wallet so I get alerted if they get removed again.

Last edited by FLYGVA; Mar 17, 18 at 4:13 am Reason: corrected Marriott to IHG as the OP confirmed he miswrote
cjchaps is offline  
Old Mar 25, 18, 4:53 pm
  #6  
 
Join Date: Sep 2009
Posts: 1
I've seen the earlier threads since the hacks seemed to start in December.

I received an email to proper email account telling me my account had been updated. I had the account open on a previous recent day checking rates for a a possible booking, but had not changed anything. So I logged in and saw my address had been changed to China and points redeemed 12 hours ago.

A quick call to IHG got the redemption cancelled and my points reinstated. I immediately changed the email and pin to help avoid repeat.

Previous threads reported that the hackers got the email account first, changed the email and pin, and locked the legitimate account holder out.
This was not the case with my account. Only the address was changed. Email and pin were still OK and I could access.
So, someone probably has hacked IHG account numbers or email addresses associated with accounts and may jut be randomly generating pins or is directly accessing the accounts without the pins to drain.

Reports of thief using to purchase gift cards or booking rooms.
Metwo3 is offline  
Old Mar 26, 18, 3:35 am
  #7  
 
Join Date: Nov 2006
Location: Locked down in the UK
Programs: Seniors Bus Pass, BA Gold
Posts: 5,235
Welcome to Flyertalk, Metwo3.

As it is only a four digit PIN, and there are therefore 9999 possible combinations, what the hacker needs is just your account number and a computer programme to go through the variations until they get in.

When this was discussed a year or so ago there was some talk of changing to lock out after a number of incorrect tries. I dont know if this has been implemented. If not, then it will be a few milliseconds work for the computer to get access.

Where might they get your member number? Any number of compromised places, I suppose. Also the waste paper bin - some hotels put your number on "welcome letters" and they are often on receipts etc.
antichef is offline  
Old Mar 28, 18, 5:22 am
  #8  
 
Join Date: Mar 2015
Posts: 1,989
No membership number Required. Email + PIN works too and getting Email addresses are much easier.
PayItForward is offline  

Thread Tools
Search this Thread
Search Engine: