teach42

Yesterday I got an email saying that the change to my email account had gone through. When I tried to log in to my Marriott account, I couldn't get in at all. Called them up and it turns out someone had hacked into my account, changed my email, password and mailing address info and spent about 360,000 points at Skymall.

I've got my account back and they're working on stopping the purchase and crediting my points back. But what was most concering was that each of the three people I spoke to implied that this was not an unusual occurance right now.

Flat out, I'm reading between the lines somewhat, but it sounds to me like they had a security breach of some sort and that many acounts were affected. I'm soley basing this on comments that were made while I tried to get this resolved. And before anyone brings it up, no I did not fall for the recent phishing scam. Never even got that email to my knowledge. But I was a little shocked that so many reps all made comments along the lines of "this is happening to a lot of people right now."

Point being, keep your eyes open for any emails from Marriott about your account and act quickly if you get anything strange.

SylviaCaras

July 16 I received an email from Marriott asking that I change my password. I did, and just checked the account. New password works and points are there. Thanks for the heads up and good you are recovering points.

Sylvia

"There have recently been attempts made to gain unauthorized access to a small number of members' online accounts. Although your account was not included in these attempts, as a precaution, we ask that you visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account: ... "

dw

That sucks; there could also be some malware targeting Marriott and perhaps other loyalty programs that is collection logins and passwords

valor155

OP: Thanks for the head's up . . . but to OP and ALL:

Stop making simple passwords. Use numbers, letters and characters. The longer, better.

This makes it exponentially (literally, not figuratively) for bots to hack your account.

Not singling you out . . . and thanks for the head's up, but abcd1234, fred1990, or similarly weak passwords are an open invite. If you had a sincerely strong password before, then this doesn't apply to you.

My Marriott PW is at least 10 characters long and has no words or number sequences. I'm not saying that to praise myself, but being grateful because due to the OP, I just checked MR account as well, and verified as I thought that it was not hacked.

Good luck to all. Keep them passwords long and cryptic.

teach42

Just for the record, it was 6 characters, six letters and two numbers. The letters were not a word in any language, nor were they letter/number substitution cypher.

Admittedly, 6 chars could be considered on the weaker side, but this definitely was not in a brute force dictionary.

Just be careful out there!

BostonFlyer1624

Have you clicked on any new links recently, or downloaded any new software?

I'm asking because I'm curious if this is something internal to Marriott, or if your computer was compromised.

sdsearch

But perhaps just as important: Try not to use the same username/password combination at different sites. If one gets compromised, they have access to all the others that are the same. (And if there's similar types, say all hotel programs, they they might even be able to guess which ones they are.)

But if you guys think 6 alphanumeric characters are weak, what about those hotels and airlines that use a 4-digit PIN (HH, IHG, DL, BA, etc)???

valor155

That's not terrible, and I didn't want to single you out at all, just offer general advice. A few years ago, 6-character non-sequential or standard words would have been plenty powerful. But Moore's Law on computing power is changing that as it always will.

I used to have 5 character and 7+ character PWs. 5 character is basically NO security these days. I would say 8 at bare minimum, but longer is better. In my case, I just appended some of them to make them much more secure.

My longest PW is 21 characters. But there is a pattern of course. One I can remember but I believe hackers would find difficult to decrypt via brute force computing bot.

I think Delta is one of the sites! Are you kidding? That is really ZERO security. There are only 10000 combinations! Hopefully, Delta's security and web services are fast to shut down a bot attempt at login with a PW guess algorithm.

The issue is, you don't want to make them so different that you can't remember them, therefore making it so secure that you can't get in, which defeats the purpose. The other issue is then folks just slap their PWs in a password file on their computer. Yeah, put that on a thumb drive once and see what a mess you might end up with!

There is LastPass and KeePass that can help give you all the security in PWs that you need, but then you will never personally remember those PWs, and you need computer access and the client to retrieve them.

Well ... I diverged into a security discussion. Maybe a little stronger PWs from the users and a little more diligence by Marriott IT fixes most of this simply.

nacho

Good that OP is not with IHG. Another FTer (see the PC point theft thread) got a similar amount of points stolen from his IHG account. IHG first refused to give his points back and after a long time he finally got his points back.

bennos

Delta not too long ago began a transition to "normal" passwords. Of course, this then annoyed people who couldn't use PINs anymore.

Good luck remembering a different 21 character, random password for each website you visit. Using a password manager on your desktop? Let's hope your desktop doesn't get hacked! Sigh...

valor155

I can log onto Delta with either a password or a 4 digit PIN. So, it could be a path of least resistance thing.

21-characters is long, maybe excessive, but need not be as random as you think. Word fragments with numbers or characters in a way you can remember it. It's not as hard as you think. They don't have to be completely random to be effective.

The password managers don't display the passwords, they provide them to the website. They are encrypted locally. But . . . sigh ... they are behind one password. But, if someone gets that one, all they get is a bunch of junk behind it.

The issue is being tied to OS's, desktops, or whatever. The products are starting to mobilize, but not there yet.

Before anyone tries to tackle 21, I'd suggest mastering 8 first.

ktjan

Apparently, someone hacked into Marriott's systems and stole our info. http://www.securityweek.com/marriott-rewards-members-urged-change-passwords-following-hack-attempts
I experienced first hand today. Sequence of events:

1. Got an email saying that my email address associated with MR has been changed from my yahoo email address to <my yahoo user id>@vnparkour.net. Since I didn't request such change, I knew instantly my MR account has been compromised.
2. I logged on my MR account and noticed that more than million points have been stolen.
3. My home address, email address and phone number have been changed. Since my birth date (minus the yr) was also on file, I suspected the perpetrator has most of my personal info. And depends on how strong is the encryption cipher Marriott deployed in their database, my credit card on file may be compromised as well.
4. I called Customer Care and they were able to get hold of MR (they are supposed to be closed on Sat). I told them what happened and they said they can definitely help me to get my points back. They told me someone redeemed my points to get some expensive merchandise today (maybe Sky Mall). They sent me an affidavit and asked me to fill it out to deny any redemption attempt today. I sent it back and I'm waiting for a response by Monday. I also told her please note the shipping address so maybe the authority can trace the perpetrators.
5. I asked MR to change my info back to the original and reset the password. I changed the temp password afterward. I also changed my other loyalty accounts' passwords as well.
6. I called all three credit bureaus and asked them to put a fraud alert on my credit file.
7. I also noticed that I got 10+ mailing list confirmation emails sent to my yahoo account. The request came from an IP address 109.169.69.80. I contacted the ISP Abuse department and asked them to investigate this IP address to see if there are other complaints against this IP address.

All in all, not a fun day at all. So fellow flyertalkers, watch closely to your MR accounts.

twsaving

My account was hacked last week as well. Still waiting to get my points back. I suspect the thief got our passwords from Marriott's IT system.

kulflyer

Many password managers include a password generator feature. I use Dashlane since I'm on the go a lot and it has clients on desktop and mobile devices. The passwords are AES-256 encrypted, one of the most secure encryption schemes. Your decryption key isn't stored anywhere (best way of decrypting passwords) but derived on your client everytime you enter your master password. On top of that, you can link Dashlane to Google 2-factor sign in, so that's a second layer of security even if your desktop gets hacked.

I would strongly recommend everyone use a reputable VPN SSL provider to encrypt your data transmission when you're out and about, especially with open Wifi in hotels or coffee shops. If your employer provides VPN and (1) allows you unfettered access to the internet and (2) you don't mind your personal stuff being monitored by your employer, then use your company VPN.

chitownjeff

I thought most places now have a policy where if you enter the wrong password 3 times your account is locked? Wouldn't that stop the password bots from working? (unless you had spyware on your machine)?