My SPG Account Got Hacked
#31
Join Date: Sep 2006
Location: IAD
Programs: Marriott- Platinum, IHG - Platinum, Hyatt - Globalist, CC - Gold, Hilton - Diamond, BW - Platinum S
Posts: 256
SPG would know the name and account number to which the transfer was requested, although AC might be able to look up any accounts associated with that email address, especially if you escalate to their fraud department or a supervisor. They should then follow up and ask AC to cancel any fraudulent award tickets before the flights are flown.
#32
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
Silverfalls, G8orjenn, sorry to hear of your accounts being hacked. SPG will make things good after they complete their investigation; they always have as far as I've seen.
One program that I use to monitor my accounts (I have 19) is Award Wallet. It will show you very quickly whether or not your points have changed and it also tracks expiration dates. I updated early one Sunday and all of my Hilton points disappeared - I quickly found out (by reading FT threads) that this was very common with Hilton; don't know if they've fixed the glitch yet but my points showed up a few hours later.
Here's a link if you decide to go with Award Wallet that will allow you a free service upgrade: http://AwardWallet.com/?refCode=wqraisoqvf
I'm not trying to spam; you can find an Award Wallet upgrade conga line in the S.P.A.M. subforum if you prefer.
One program that I use to monitor my accounts (I have 19) is Award Wallet. It will show you very quickly whether or not your points have changed and it also tracks expiration dates. I updated early one Sunday and all of my Hilton points disappeared - I quickly found out (by reading FT threads) that this was very common with Hilton; don't know if they've fixed the glitch yet but my points showed up a few hours later.
Here's a link if you decide to go with Award Wallet that will allow you a free service upgrade: http://AwardWallet.com/?refCode=wqraisoqvf
I'm not trying to spam; you can find an Award Wallet upgrade conga line in the S.P.A.M. subforum if you prefer.
#33
Suspended
Join Date: Jan 2011
Location: YYJ
Posts: 2,230
my fellow flyertalkers, please make sure you use strong passwords and don't use any password on more than one account. a strong password can be something like q]6b%WgfhX6oKv. Yes, it's a hassle but there are many password management apps out there for desktop and mobile OS, many of which will share your password file between your different devices. they can generate strong passwords for each account. I'm shocked to read how up to 50% of passwords on a site that gets hacked are things like "123456" or "password." and no, i'm not making that up.
Don't forget that if another site gets hacked and you've used the same email/password combo there, then the hackers can just waltz into any other account with the same combo. good security practices take effort but my guess is that it's a lot less effort, and headache, than trying to recoup your stolen points.
Don't forget that if another site gets hacked and you've used the same email/password combo there, then the hackers can just waltz into any other account with the same combo. good security practices take effort but my guess is that it's a lot less effort, and headache, than trying to recoup your stolen points.
#34
Join Date: Sep 2009
Location: NYC
Posts: 17
I thought my password was pretty strong - letters, numbers and characters. I've never been hacked before, but I guess there's a first time for everything. I log into my accounts and check everything regularly. Hopefully they catch the guys, but I won't be holding my breath.
#35
Join Date: Sep 2006
Location: IAD
Programs: Marriott- Platinum, IHG - Platinum, Hyatt - Globalist, CC - Gold, Hilton - Diamond, BW - Platinum S
Posts: 256
Silverfalls, G8orjenn, sorry to hear of your accounts being hacked. SPG will make things good after they complete their investigation; they always have as far as I've seen.
One program that I use to monitor my accounts (I have 19) is Award Wallet. It will show you very quickly whether or not your points have changed and it also tracks expiration dates. I updated early one Sunday and all of my Hilton points disappeared - I quickly found out (by reading FT threads) that this was very common with Hilton; don't know if they've fixed the glitch yet but my points showed up a few hours later.
Here's a link if you decide to go with Award Wallet that will allow you a free service upgrade: http://AwardWallet.com/?refCode=wqraisoqvf
I'm not trying to spam; you can find an Award Wallet upgrade conga line in the S.P.A.M. subforum if you prefer.
One program that I use to monitor my accounts (I have 19) is Award Wallet. It will show you very quickly whether or not your points have changed and it also tracks expiration dates. I updated early one Sunday and all of my Hilton points disappeared - I quickly found out (by reading FT threads) that this was very common with Hilton; don't know if they've fixed the glitch yet but my points showed up a few hours later.
Here's a link if you decide to go with Award Wallet that will allow you a free service upgrade: http://AwardWallet.com/?refCode=wqraisoqvf
I'm not trying to spam; you can find an Award Wallet upgrade conga line in the S.P.A.M. subforum if you prefer.
Last edited by silverfalls; Dec 9, 2013 at 8:24 pm
#36
Join Date: Sep 2006
Location: IAD
Programs: Marriott- Platinum, IHG - Platinum, Hyatt - Globalist, CC - Gold, Hilton - Diamond, BW - Platinum S
Posts: 256
I thought my password was pretty strong - letters, numbers and characters. I've never been hacked before, but I guess there's a first time for everything. I log into my accounts and check everything regularly. Hopefully they catch the guys, but I won't be holding my breath.
#37
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
Thanks for the info iflyjetz, I tracks all my points through awardwallet for the last 4 yrs I believe, otherwise I have no other way of checking all my 60+ accounts since day at-least once. First thing I do in the morning is check my mint and award wallet account before I do anything else. That's why I was able to complain to SPG within 3 hours from this happening. Thanks for the information once again.
#38
Moderator: CommunityBuzz!, OMNI, OMNI/PR, and OMNI/Games & FlyerTalk Evangelist
Join Date: Nov 2000
Location: ORD (MDW stinks)
Programs: UAMM, AAMM & ExPlat, Marriott lifetime Plat, IHG Plat, Hilton Diamond
Posts: 23,508
I'd actually prefer the airline not cancel the ticket until the pax shows up, then pull them aside & get the full info on how they came to have that ticket.
Pressure needs to be applied to those who are the ones doing the hacking as well as those who are buying/using the hacked award/points.
#39
Suspended
Join Date: Jan 2011
Location: YYJ
Posts: 2,230
I thought my password was pretty strong - letters, numbers and characters. I've never been hacked before, but I guess there's a first time for everything. I log into my accounts and check everything regularly. Hopefully they catch the guys, but I won't be holding my breath.
maybe SPG should consider two-factor authentication. depending on your fraud figures, it could be a money saver. lurkers, can you mention this to the powers-that-be?
#40
 
Join Date: Nov 2000
Location: Upcountry Maui, HI
Posts: 13,312
I hate that part of their web site. There is no information about what they accept as a valid password on the page where you change your password and they allow you to set it to something you can't use to login, so you have to use the password reset procedure.
At least that's how it works with chrome, and when I've gone out of my way to point out other web site issues to their team, they argue about it with me. for example, try typing in Newark when you want Newark, California with chrome in one of the hotel search boxes not on the main page (ie, click hotels on one of the other pages to expose the hotel search bar on top of the page). Typing Newark followed by tab automatically fills in NJ in the state field, and changing NJ to CA in the state field erases the city name.
If you can set it to something > 12 characters, what browser are you using, and are you able to login with that password using chrome?
No idea why they won't fix this, 12 characters is a weak password and guess what? Peoples accounts are being hacked regularly.
-David
Last edited by LIH Prem; Dec 9, 2013 at 7:55 pm
#41
Join Date: Aug 2008
Location: USA
Programs: SPG Platinum (100)
Posts: 517
I had an attempted hack which luckily I caught before anything could happen.
I received a strange email from SPG confirming that my password had been changed. The only thing is that I didn't initiate a password change. I quickly tried to log on and could not so I reset the password immediately since I was concerned whomever hacked my account would have also tried to change my email address.
After receiving my password reset email, I changed my password immediately and called my Ambassador who spoke to colleagues to ensure that my account was safe. In the end, she replied that the "web people" did not find any unusual activity. I did ask if IP addresses were logged.
I've been watching my account like a hawk ever since and I also changed every single account's password that I access online. Can't be too careful these days especially following reports that gmail, Yahoo and other email providers were recently hacked.
I received a strange email from SPG confirming that my password had been changed. The only thing is that I didn't initiate a password change. I quickly tried to log on and could not so I reset the password immediately since I was concerned whomever hacked my account would have also tried to change my email address.
After receiving my password reset email, I changed my password immediately and called my Ambassador who spoke to colleagues to ensure that my account was safe. In the end, she replied that the "web people" did not find any unusual activity. I did ask if IP addresses were logged.
I've been watching my account like a hawk ever since and I also changed every single account's password that I access online. Can't be too careful these days especially following reports that gmail, Yahoo and other email providers were recently hacked.
#42
Join Date: Sep 2006
Location: IAD
Programs: Marriott- Platinum, IHG - Platinum, Hyatt - Globalist, CC - Gold, Hilton - Diamond, BW - Platinum S
Posts: 256
@David, On 29th Nov when I tried to change the password the maximum that I was able to use was 14 characters. I was issue Chrome, not sure if that's the maximum allowed now or its limited to chrome. I did not bother to check that. Also I had the same issue with American Express which did not allow more than 8 character until very recently.
#43
Join Date: Feb 2013
Location: Miami, FL
Programs: UA 1MM, AA Plat, Marriott LT Titanium, Hyatt Glob, IHG ♢ Amb, Hilton ♢, Hertz Pres
Posts: 6,018
If you're both using >12 character passwords with numbers, upper/lower case and special characters then the hacking didn't happen by brute force or guessing. Your password was more likely stolen from another website and then used here. 12 characters password with numbers, letters, upper/lower and special characters would take year to 'guess'. Too hard. They'd go after someone else. This means you used th same password elsewhere, which is a no no.
I use LastPass. One very strong password to remember. And then I can use the toughest unique passwords all around the web. I strongly advise everyone to use them or someone similar.
I use LastPass. One very strong password to remember. And then I can use the toughest unique passwords all around the web. I strongly advise everyone to use them or someone similar.
#44
Join Date: Jul 2004
Location: Live: IWI; Work: DCA/Everywhere; Play: LAS/SJU/MLE
Programs: AA EXP, DL PM, Hyatt Glob, Marriott Ambassador/LTP, Nat'l Exec Elite, LEYE Gold
Posts: 6,673
My guess is the hacker installs a keylogger or otherwise monitors activity at something like the Sheraton Link computers where people are likely to access their SPG accounts. Then they log on, transfer the points to an airline account (also in your name), and use the miles to buy a ticket for someone else.
Even if that's not happening here, it's a good reminder not to use your passwords at public computers to the extent practicable.
Even if that's not happening here, it's a good reminder not to use your passwords at public computers to the extent practicable.
#45
Join Date: Jan 2012
Posts: 113
My points are intact at the moment fortunately but I had a similar experience with an account I used a couple times to Western Union money to a friend. Odd thing is that I hadn't logged into that account in probably at least a year when it happened. There was also, more recently, a ticket processing company, walletini, that I used for a concert in Boston that had their user data compromised, so it is possible that this could be the result of a more sophisticated operation. Highly recommend changing passwords on any account in which the same one is used.