My SPG Account Got Hacked

 
Old Jan 19, 15, 8:44 pm
  #196  
A FlyerTalk Posting Legend
 
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.021MM; Bonvoy Au-197; PCC Elite+; CWC Au-197; CCC Elite*; WoH Dis
Posts: 49,791
Originally Posted by Spock Seat View Post
There are programs (inaccurately called "apps") that run tons of permutations per second by brute force to crack .rar files that are password protected.
Very poor analogy. Rar files don't lock you out after three failed attempts. (And "app" is a perfectly accurate term - it's just an abbreviation for application, and these programs are indeed applications.)

Originally Posted by Spock Seat View Post
By the way, where are all of these these Amazon Gift cards being mailed to?
People either get them emailed (the easiest non-traceable method), or they change the address on the account if they want a physical card (leaves a trail, but not all of these thieves are necessarily the ripest bananas in the bunch).
mahasamatman is offline  
Old Jan 20, 15, 12:31 am
  #197  
A FlyerTalk Posting Legend
 
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 88,402
Originally Posted by abaaz View Post
Got multiple emails while I was asleep last night telling me my SPG account information has been updated I hadn't logged into my account in months so called SPG. Could not login or verify any of my personal information with the rep as the perp had changed everything so they couldn't do anything for me on the phone.

I had over 150K SPG points which were apparently cashed out for Amazon gift cards and mailed to an address in Illinois. Sending an email to SPG now hopefulyy they can clear this out soon.

Wondeirng if this has happened to anyone else recently as it would mean theres been some kind of breach?
I got one of these emails today after making a reservation but not going near my profile. I didn't see any changes to my profile, I called, and the Plat Concierge couldn't see any changes either. He had me do the experiment of logging out and logging in fresh to look for changes. His impression was that some glitch is causing the "you've made an update to your SPG account" email to be sent when it should not be. Since it tells you to call immediately if you have not made any changes to your profile, that's what I did.
MSPeconomist is offline  
Old Jan 20, 15, 1:39 am
  #198  
 
Join Date: Nov 2010
Location: SFO
Programs: Marriott Ambassador, Skywards Platinum
Posts: 3,028
Originally Posted by MSPeconomist View Post
I got one of these emails today after making a reservation but not going near my profile. I didn't see any changes to my profile, I called, and the Plat Concierge couldn't see any changes either. He had me do the experiment of logging out and logging in fresh to look for changes. His impression was that some glitch is causing the "you've made an update to your SPG account" email to be sent when it should not be. Since it tells you to call immediately if you have not made any changes to your profile, that's what I did.
While making a reservation, if you changed your preference for that reservation, you will get one of those emails.
LovetoTravel83 is offline  
Old Jan 20, 15, 8:39 am
  #199  
 
Join Date: Oct 2013
Posts: 3
Originally Posted by Starwood Lurker II View Post
First, we want to assure all SPG members that they will not lose any points if their account is affected.

We have a large team actively investigating and attempting to directly contact affected members. If an SPG member notices an issue with their account, please contact our customer service team.
I too was affected. I contacted SPG customer service as soon as I noticed the emails sent early AM on January 18th stating that my profile and email address had been updated. The gentleman stated that my points were cashed out for Amazon gift cards. He also stated that my account was being referred to the fraud department and I would hear back in 10 business days.

I am not in urgent need of access to my account at this time, but is there a more specific ETA than this available? I have upcoming reservations and my SPG AmEx made its regular deposit to my account yesterday. Will I need to follow up on those points? Thank you.
silkwood is offline  
Old Jan 20, 15, 9:30 am
  #200  
 
Join Date: Sep 2012
Posts: 1,747
For those who have been "hacked", can I ask:

Were you aware of this issue, and did you change your password and/or userid in the last 1 week?

Or was your password something that's been in use for some time?


I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.

Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
travelswithmyself is offline  
Old Jan 20, 15, 9:55 am
  #201  
 
Join Date: Jul 2009
Posts: 265
My username and password for SPG was not a new one and it has been in use for a while now. It was unique to SPG at this time. My systems show no malware or viruses and hope that SPG can identify where the breach may have occurred so that we know what other data may have been stolen.

Originally Posted by travelswithmyself View Post
For those who have been "hacked", can I ask:

Were you aware of this issue, and did you change your password and/or userid in the last 1 week?

Or was your password something that's been in use for some time?


I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.

Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
britinva79 is offline  
Old Jan 20, 15, 10:04 am
  #202  
A FlyerTalk Posting Legend
 
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 88,402
Originally Posted by LovetoTravel83 View Post
While making a reservation, if you changed your preference for that reservation, you will get one of those emails.
The point is that I didn't change anything. In fact, I didn't even look at my profile while making the reservation.

It seems like an error that can waste everyone's time and distract people from true account fraud or hacking reports.
MSPeconomist is offline  
Old Jan 20, 15, 1:00 pm
  #203  
 
Join Date: Feb 2010
Location: London
Posts: 38
Originally Posted by britinva79 View Post
My username and password for SPG was not a new one and it has been in use for a while now. It was unique to SPG at this time. My systems show no malware or viruses and hope that SPG can identify where the breach may have occurred so that we know what other data may have been stolen.
Same for me... been using the same password for a while. Was always one of those people who thought I could never be a victim of hacking/phishing as I'm usually very careful with my online activities.
abaaz is offline  
Old Jan 20, 15, 8:15 pm
  #204  
 
Join Date: Jun 2004
Location: HKG, NYC
Programs: CX Marco Polo Silver, Asiana Gold, CO OnePass, SPG Gold, HHonors Silver, Marriott Silver, Hyatt Plat
Posts: 129
I would like to report that my SPG account just got hacked as well.

I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.

SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.
lesteryen is offline  
Old Jan 20, 15, 10:09 pm
  #205  
 
Join Date: Jan 2013
Location: CEB - primary/YVR -secondary
Programs: AC*Super Elite (100K) / PR*Elite / AY*Platinum (OWE) / SPG*Bonvoy Ambassador (LTT)
Posts: 1,845
Originally Posted by lesteryen View Post
I would like to report that my SPG account just got hacked as well.

I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.

SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.

When u get ur report, can u let us know how this happened without going into details?
supatight80 is offline  
Old Jan 20, 15, 10:32 pm
  #206  
 
Join Date: Dec 2012
Location: Seattle
Programs: SPG Plat
Posts: 37
+1 on getting hacked, sorted it out with SPG over the phone, lots of headaches trying to get back in.

Same story as the rest, all Starpoints liquidated into amazon gift cards with a target address on the east coast.

I think it's fixed now, they said someone is going to contact me within a week or two with more information.
techtravels89 is offline  
Old Jan 20, 15, 10:54 pm
  #207  
A FlyerTalk Posting Legend
 
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.021MM; Bonvoy Au-197; PCC Elite+; CWC Au-197; CCC Elite*; WoH Dis
Posts: 49,791
SPG should put a moratorium on gift card redemptions until they get their security issues worked out. I'm convinced that Amazon gift cards account for more than half of all online fraud and scams.
mahasamatman is offline  
Old Jan 21, 15, 2:02 pm
  #208  
 
Join Date: Mar 2006
Location: Miami, FL, USA
Posts: 3,884
In case anyone wants to see what it looks like:

aviators99 is offline  
Old Jan 22, 15, 7:38 am
  #209  
 
Join Date: Dec 2004
Posts: 7,029
In case this hasn't been shared already, "Password Re-use Fuels Starwood Fraud Spike."
http://krebsonsecurity.com/2015/01/p...d-fraud-spike/
rrgg is offline  
Old Jan 22, 15, 8:40 am
  #210  
 
Join Date: Dec 2013
Location: 32.7758 N, 96.7967 W
Programs: AA EXP,SPG 75
Posts: 318
Originally Posted by YouGeeElWhy View Post
A gaping hole SPG (and AA,Delta,Hyatt,Hilton, etc...) could implement is some two factor authentication on their websites/mobile apps like Google, Twitter and Facebook. The two factor could apply to any new IP/machine trying to access the SPG website and the authentication code could work through sms, email, authy or google authenticator.
Originally Posted by YouGeeElWhy View Post
SPG, you really need two factor authentication.
We are waiting SPG. Rather than trying to innovate with worthless technologies like Google Glass, why not innovate on the security side and separate yourselves form your peers.
YouGeeElWhy is offline  

Thread Tools
Search this Thread
Search Engine: