My SPG Account Got Hacked
#271
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,134
#273
Join Date: Nov 2002
Location: SEA/YVR/BLI
Programs: UA "Lifetime" Gold, AS MVPG100K, OW Emerald, HH Lifetime Diamond, IC Plat, Marriott Gold, Hertz Gold
Posts: 9,489
I received a “welcome letter” via e-mail early today for an upcoming 10-day stay at a high-end Italian property starting in a few days. Thank goodness because... we made no such reservation.
I called reservations and the agent said someone must have mixed up the email addresses and not to worry - he'd cancel the reservation. But worry I did. The reservation does not show on my account, so I checked it using the confirmation number while signed out of my account and it showed someone with the same last name and a first name that's a variation of my own name (like Billy instead of Bill).
I called SPG again and asked to be transferred to the fraud department. A CS person did some more investigation and determined that it was indeed MY credit card that held the reservation, MY address, email, and phone number attached to it, but a different SPG number. I asked her how my credit card could be used, since I'd removed it from my profile more than a year ago after a similar incident. She responded that even if it is removed, it is retained in the internal system…..she could see it! Needless to say, we immediately cancelled the credit card, while confirming there were no charges or holds on it.
Strange and concerning…
I called reservations and the agent said someone must have mixed up the email addresses and not to worry - he'd cancel the reservation. But worry I did. The reservation does not show on my account, so I checked it using the confirmation number while signed out of my account and it showed someone with the same last name and a first name that's a variation of my own name (like Billy instead of Bill).
I called SPG again and asked to be transferred to the fraud department. A CS person did some more investigation and determined that it was indeed MY credit card that held the reservation, MY address, email, and phone number attached to it, but a different SPG number. I asked her how my credit card could be used, since I'd removed it from my profile more than a year ago after a similar incident. She responded that even if it is removed, it is retained in the internal system…..she could see it! Needless to say, we immediately cancelled the credit card, while confirming there were no charges or holds on it.
Strange and concerning…
#274
Join Date: Dec 2004
Location: BLI
Programs: Alaska Million Mile Flyer, Marriott Lifetime Titanium Elite
Posts: 3,194
Concerning, but it doesn't make a lot of sense. Why would a fraudster use an email address easily identified by the actual account holder, but a different SPG number? There is no obvious way they'd be able to access any points in the SPG account.
I frequently receive email confirmations for others' hotel reservations (at Starwood and elsewhere) because my email address is just my last name and a common email service provider. But it's never been tied to an actual credit card or loyalty account of mine, and is easily ignored.
Glad to hear you followed up, but something doesn't add up if someone was actually trying to avoid detection, as opposed to just being sloppy in what they entered.
I frequently receive email confirmations for others' hotel reservations (at Starwood and elsewhere) because my email address is just my last name and a common email service provider. But it's never been tied to an actual credit card or loyalty account of mine, and is easily ignored.
Glad to hear you followed up, but something doesn't add up if someone was actually trying to avoid detection, as opposed to just being sloppy in what they entered.
#275
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
I received a “welcome letter” via e-mail early today for an upcoming 10-day stay at a high-end Italian property starting in a few days. Thank goodness because... we made no such reservation.
I called reservations and the agent said someone must have mixed up the email addresses and not to worry - he'd cancel the reservation. But worry I did. The reservation does not show on my account, so I checked it using the confirmation number while signed out of my account and it showed someone with the same last name and a first name that's a variation of my own name (like Billy instead of Bill).
I called SPG again and asked to be transferred to the fraud department. A CS person did some more investigation and determined that it was indeed MY credit card that held the reservation, MY address, email, and phone number attached to it, but a different SPG number. I asked her how my credit card could be used, since I'd removed it from my profile more than a year ago after a similar incident. She responded that even if it is removed, it is retained in the internal system…..she could see it! Needless to say, we immediately cancelled the credit card, while confirming there were no charges or holds on it.
Strange and concerning…
I called reservations and the agent said someone must have mixed up the email addresses and not to worry - he'd cancel the reservation. But worry I did. The reservation does not show on my account, so I checked it using the confirmation number while signed out of my account and it showed someone with the same last name and a first name that's a variation of my own name (like Billy instead of Bill).
I called SPG again and asked to be transferred to the fraud department. A CS person did some more investigation and determined that it was indeed MY credit card that held the reservation, MY address, email, and phone number attached to it, but a different SPG number. I asked her how my credit card could be used, since I'd removed it from my profile more than a year ago after a similar incident. She responded that even if it is removed, it is retained in the internal system…..she could see it! Needless to say, we immediately cancelled the credit card, while confirming there were no charges or holds on it.
Strange and concerning…
#276
Join Date: Nov 2002
Location: SEA/YVR/BLI
Programs: UA "Lifetime" Gold, AS MVPG100K, OW Emerald, HH Lifetime Diamond, IC Plat, Marriott Gold, Hertz Gold
Posts: 9,489
Yes, the email address was mine. If the hotel hadn't sent a "Welcome" e-mail I never would have known. The SPG number was different, perhaps because of some gigantic glitch but perhaps so that I wouldn’t see the reservation in my upcoming stays. The name on the reservation was using my last name and a first name that could possibly be a nickname for my name – though one I have never used or even considered.
The SPG CS rep suggested that it might be an error and said she would call the "other" person (she let it slip that this person is on the other side of the country) to give them a chance to change to a different credit card. Lo and behold, that phone call with the same rep reached my voicemail when I was on hold with her! The only other resolution was that the CS rep phoned the Italian hotel to tell them to remove the credit card from the record, although we had already cancelled it while on this long phone call. I would love to have the police show up to nab anybody checking in on this reservation, but I don’t think that will happen. Could it be an inside job? Could it still be some crazy mixup? Anybody's guess is as good as ours (and maybe better).
#277
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
Fredd, I'll lay out the less sinister case. I'll call the other person Fred2. See if it makes sense to you.
Let's say there was some crossing of information between two accounts. Fred2 calls SPG reservations and makes a reservation for the upcoming stay in Italy. Fred2 gives the correct SPG number, but somehow it's been populated with your data (I don't know how this happened and that's the perplexing part of this).
The reservation agent asks him if he wants to use the CC on file. 'Yes'.
Fred2 sees the reservation on his SPG account so he doesn't see any problems. He probably doesn't notice hotel emails; I usually just delete them.
At check in, the hotel would have required a credit card, passport, etc. At that point, the error would probably have been found.
Were any points used for the reservation? If not, the only thing that could have been negative would have been a credit card charge to your account and that could be easily disputed because there wouldn't be a swipe, not to mention you wouldn't have been in Italy.
Let's say there was some crossing of information between two accounts. Fred2 calls SPG reservations and makes a reservation for the upcoming stay in Italy. Fred2 gives the correct SPG number, but somehow it's been populated with your data (I don't know how this happened and that's the perplexing part of this).
The reservation agent asks him if he wants to use the CC on file. 'Yes'.
Fred2 sees the reservation on his SPG account so he doesn't see any problems. He probably doesn't notice hotel emails; I usually just delete them.
At check in, the hotel would have required a credit card, passport, etc. At that point, the error would probably have been found.
Were any points used for the reservation? If not, the only thing that could have been negative would have been a credit card charge to your account and that could be easily disputed because there wouldn't be a swipe, not to mention you wouldn't have been in Italy.
#278
Join Date: Nov 2002
Location: SEA/YVR/BLI
Programs: UA "Lifetime" Gold, AS MVPG100K, OW Emerald, HH Lifetime Diamond, IC Plat, Marriott Gold, Hertz Gold
Posts: 9,489
Thanks. ^ Yes, I suppose that's possible. The tricky part, as you say, is this:
We're also a little gun-shy because we experienced a similar problem a year or more ago with an Italian SPG property in the same city. We forget which property as we didn't get an e-mail; rather, I was checking our account and suddenly noticed a similarly lengthy reservation for a lot of Euros. That was somebody accessing details of our account but with somebody else's stolen credit card - in neither instance have our points been pilfered.
If it's an innocent mistake / glitch it isn't quite as troubling as deliberate fraud but it's still troubling.
Or as one of P.G. Wodehouse's characters said, I'm not disgruntled, but I'm not exactly gruntled.
Fred2 gives the correct SPG number, but somehow it's been populated with your data (I don't know how this happened and that's the perplexing part of this).
If it's an innocent mistake / glitch it isn't quite as troubling as deliberate fraud but it's still troubling.
Or as one of P.G. Wodehouse's characters said, I'm not disgruntled, but I'm not exactly gruntled.
#279
Join Date: Nov 2007
Location: Colorado
Programs: UA Gold (.85 MM), HH Diamond, SPG Platinum (LT Gold), Hertz PC, National EE
Posts: 5,652
Thanks. ^ Yes, I suppose that's possible. The tricky part, as you say, is this:
We're also a little gun-shy because we experienced a similar problem a year or more ago with an Italian SPG property in the same city. We forget which property as we didn't get an e-mail; rather, I was checking our account and suddenly noticed a similarly lengthy reservation for a lot of Euros. That was somebody accessing details of our account but with somebody else's stolen credit card - in neither instance have our points been pilfered.
If it's an innocent mistake / glitch it isn't quite as troubling as deliberate fraud but it's still troubling.
Or as one of P.G. Wodehouse's characters said, I'm not disgruntled, but I'm not exactly gruntled.
We're also a little gun-shy because we experienced a similar problem a year or more ago with an Italian SPG property in the same city. We forget which property as we didn't get an e-mail; rather, I was checking our account and suddenly noticed a similarly lengthy reservation for a lot of Euros. That was somebody accessing details of our account but with somebody else's stolen credit card - in neither instance have our points been pilfered.
If it's an innocent mistake / glitch it isn't quite as troubling as deliberate fraud but it's still troubling.
Or as one of P.G. Wodehouse's characters said, I'm not disgruntled, but I'm not exactly gruntled.
Not directly related to SPG, but I have setup all of my cards to alert me for every transaction on my phone. Its literately instant that I get an alert, and even helped me identify a transaction attempt two weeks ago at a Best Buy in Ohio, while I was home in Colorado. Regardless, I was taken care of by my bank, but I shut down the card within minutes and prevented further fraudulent transactions from taking place.
With regard to travel accounts such as SPG, Hilton Honors, UA, etc, I try to take a peek at my accounts every day or so, as the level of security is far less in comparison to credit cards, but valuable nonetheless, at least to me.
I hope in the near future hotel, airline, car rental programs, etc take things more seriously when it comes to account security. Until then, best to take steps (as you did) and be proactive in your approach.
#280
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,399
If Fred2 were located in the same city, I could see this happening when Fred2 called to make a reservation but didn't know his SPG account number. The phone agent would probably look it up using his name and city/state, find Fred and Fred 2, and somehow have both accounts open, mixing them up when making the booking.
#281
Join Date: May 2004
Location: TPE
Programs: AA EXP 2MM
Posts: 507
My account was hacked about 10 days ago, with someone first moving 2,900 points out to buy an iTunes gift card.
I called SPG when I became aware of the transaction and they froze my account and instructed me to change my various passwords. A day or two later, someone tried to transfer another 29,000 points, which was then blocked.
I've since worked with SPG on protecting the integrity of the account and they have unfrozen it, but I'm still a bit perplexed how my account was hacked, considering that I haven't had much activity in the account for several years and nothing else on my computer was compromised. (And I couldn't remember myself my verbal password.)
In any event, SPG was very responsive and efficient in handling the whole situation, and they returned the points that were deducted without my authorization. Kudos.
I called SPG when I became aware of the transaction and they froze my account and instructed me to change my various passwords. A day or two later, someone tried to transfer another 29,000 points, which was then blocked.
I've since worked with SPG on protecting the integrity of the account and they have unfrozen it, but I'm still a bit perplexed how my account was hacked, considering that I haven't had much activity in the account for several years and nothing else on my computer was compromised. (And I couldn't remember myself my verbal password.)
In any event, SPG was very responsive and efficient in handling the whole situation, and they returned the points that were deducted without my authorization. Kudos.
#282
Moderator: British Airways Executive Club, Marriott Bonvoy
Join Date: May 2006
Location: Englandshire
Programs: SPG LT Plat, BA G, BD*LG, MG Blue+ ...
Posts: 16,027
Did the second intrusion happen after you changed your passwords ? IMHO that would be very concerning indeed.
#283
Join Date: May 2004
Location: TPE
Programs: AA EXP 2MM
Posts: 507
I was in a country with extremely unstable and unreliable Internet service. I thought it would be risky to logon and try to change my password, and perhaps lose the connection and have been unable to logout properly, so I decided to call SPG, inform them of the unauthorized activity and ask them to freeze my account until a time when I was where I could reliably communicate with them and change my various passwords/questions.
It was during that interim that someone tried to move the points out of my account, but the request was denied as the account had been froze.
It was during that interim that someone tried to move the points out of my account, but the request was denied as the account had been froze.
#284
Join Date: Sep 2012
Posts: 1,748
I was in a country with extremely unstable and unreliable Internet service. I thought it would be risky to logon and try to change my password, and perhaps lose the connection and have been unable to logout properly, so I decided to call SPG, inform them of the unauthorized activity and ask them to freeze my account until a time when I was where I could reliably communicate with them and change my various passwords/questions.
It was during that interim that someone tried to move the points out of my account, but the request was denied as the account had been froze.
It was during that interim that someone tried to move the points out of my account, but the request was denied as the account had been froze.
Hmmm. So the "hack" occurred while you were in that country with the unstable internet service. Do you remember logging in while in that country? Could the password have been "sniffed" out that way? (OK I don't really know what I'm talking about but I'm sure the IT types here will put me right :P)
#285
Join Date: May 2004
Location: TPE
Programs: AA EXP 2MM
Posts: 507
I had not logged in to my SPG account for probably 2-3 months prior to this incident. I did logon to the Internet while I was in this country, and my Hotmail account was hacked, but I figured that out immediately and changed passwords. No other account of any type was compromised.