My SPG Account Got Hacked
Jan 19, 2015, 8:44 pm
#196
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
People either get them emailed (the easiest non-traceable method), or they change the address on the account if they want a physical card (leaves a trail, but not all of these thieves are necessarily the ripest bananas in the bunch).
Jan 20, 2015, 12:31 am
#197
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,417
Got multiple emails while I was asleep last night telling me my SPG account information has been updated I hadn't logged into my account in months so called SPG. Could not login or verify any of my personal information with the rep as the perp had changed everything so they couldn't do anything for me on the phone.
I had over 150K SPG points which were apparently cashed out for Amazon gift cards and mailed to an address in Illinois. Sending an email to SPG now hopefulyy they can clear this out soon.
Wondeirng if this has happened to anyone else recently as it would mean theres been some kind of breach?
I had over 150K SPG points which were apparently cashed out for Amazon gift cards and mailed to an address in Illinois. Sending an email to SPG now hopefulyy they can clear this out soon.
Wondeirng if this has happened to anyone else recently as it would mean theres been some kind of breach?
Jan 20, 2015, 1:39 am
#198
Join Date: Nov 2010
Location: KSA
Programs: Marriott AMB, Skywards Gold
Posts: 3,737
I got one of these emails today after making a reservation but not going near my profile. I didn't see any changes to my profile, I called, and the Plat Concierge couldn't see any changes either. He had me do the experiment of logging out and logging in fresh to look for changes. His impression was that some glitch is causing the "you've made an update to your SPG account" email to be sent when it should not be. Since it tells you to call immediately if you have not made any changes to your profile, that's what I did.
Jan 20, 2015, 8:39 am
#199
Join Date: Oct 2013
Posts: 3
First, we want to assure all SPG members that they will not lose any points if their account is affected.
We have a large team actively investigating and attempting to directly contact affected members. If an SPG member notices an issue with their account, please contact our customer service team.
We have a large team actively investigating and attempting to directly contact affected members. If an SPG member notices an issue with their account, please contact our customer service team.
I am not in urgent need of access to my account at this time, but is there a more specific ETA than this available? I have upcoming reservations and my SPG AmEx made its regular deposit to my account yesterday. Will I need to follow up on those points? Thank you.
Jan 20, 2015, 9:30 am
#200
Join Date: Sep 2012
Posts: 1,748
For those who have been "hacked", can I ask:
Were you aware of this issue, and did you change your password and/or userid in the last 1 week?
Or was your password something that's been in use for some time?
I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.
Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
Were you aware of this issue, and did you change your password and/or userid in the last 1 week?
Or was your password something that's been in use for some time?
I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.
Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
Jan 20, 2015, 9:55 am
#201
Join Date: Jul 2009
Posts: 320
My username and password for SPG was not a new one and it has been in use for a while now. It was unique to SPG at this time. My systems show no malware or viruses and hope that SPG can identify where the breach may have occurred so that we know what other data may have been stolen.
For those who have been "hacked", can I ask:
Were you aware of this issue, and did you change your password and/or userid in the last 1 week?
Or was your password something that's been in use for some time?
I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.
Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
Were you aware of this issue, and did you change your password and/or userid in the last 1 week?
Or was your password something that's been in use for some time?
I'm interested to know if the attack is a mass password/ID steal - which would have presumably occurred some time ago and therefore new password/IDs would not be affected.
Of if it is someone who has found a way to access current existing account information - in which case even if we change our password/ID they will still be able to get in...
Jan 20, 2015, 10:04 am
#202
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,417
It seems like an error that can waste everyone's time and distract people from true account fraud or hacking reports.
Jan 20, 2015, 1:00 pm
#203
Join Date: Feb 2010
Location: London
Posts: 44
My username and password for SPG was not a new one and it has been in use for a while now. It was unique to SPG at this time. My systems show no malware or viruses and hope that SPG can identify where the breach may have occurred so that we know what other data may have been stolen.
Jan 20, 2015, 8:15 pm
#204
Join Date: Jun 2004
Location: HKG, NYC
Programs: CX Marco Polo Gold, Hilton Diamond, IHG Platinum Ambassador, Marriott Gold
Posts: 170
I would like to report that my SPG account just got hacked as well.
I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.
SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.
I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.
SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.
Jan 20, 2015, 10:09 pm
#205
Join Date: Jan 2013
Location: CEB - primary/YVR -secondary
Programs: AC*Super Elite (100K) / PR*Elite / AY*Platinum (OWE) / SPG*Bonvoy Titanium (LTT)
Posts: 2,272
I would like to report that my SPG account just got hacked as well.
I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.
SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.
I tried using my ID and password to log into my SPG account via the website but was unsuccessful. Then, I typed in my SPG card number and password to log in and was still unsuccessful. Upon calling SPG, I have found out that my account has been hacked and someone has used my account to redeem for free iTune and Amazon gift cards.
SPG immediately looked into my account and cancelled all such redemptions as well as deposited all my lost SPG points back to my account. I think SPG handled this situation pretty well, and they will provide me with an investigation report hopefully in the next few days.
When u get ur report, can u let us know how this happened without going into details?
Jan 20, 2015, 10:32 pm
#206
Join Date: Dec 2012
Location: Seattle
Programs: Marriott Titanium Elite, Alaska 100k, Hyatt Globalist
Posts: 60
+1 on getting hacked, sorted it out with SPG over the phone, lots of headaches trying to get back in.
Same story as the rest, all Starpoints liquidated into amazon gift cards with a target address on the east coast.
I think it's fixed now, they said someone is going to contact me within a week or two with more information.
Same story as the rest, all Starpoints liquidated into amazon gift cards with a target address on the east coast.
I think it's fixed now, they said someone is going to contact me within a week or two with more information.
Jan 20, 2015, 10:54 pm
#207
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
SPG should put a moratorium on gift card redemptions until they get their security issues worked out. I'm convinced that Amazon gift cards account for more than half of all online fraud and scams.
Jan 21, 2015, 2:02 pm
#208
Join Date: Mar 2006
Location: Miami, FL, USA
Posts: 4,049
In case anyone wants to see what it looks like:
Jan 22, 2015, 7:38 am
#209
Join Date: Dec 2004
Posts: 7,904
In case this hasn't been shared already, "Password Re-use Fuels Starwood Fraud Spike."
http://krebsonsecurity.com/2015/01/p...d-fraud-spike/
http://krebsonsecurity.com/2015/01/p...d-fraud-spike/
Jan 22, 2015, 8:40 am
#210
Join Date: Dec 2013
Location: 32.7758° N, 96.7967° W
Programs: AA EXP,SPG 75
Posts: 318
A gaping hole SPG (and AA,Delta,Hyatt,Hilton, etc...) could implement is some two factor authentication on their websites/mobile apps like Google, Twitter and Facebook. The two factor could apply to any new IP/machine trying to access the SPG website and the authentication code could work through sms, email, authy or google authenticator.