silverfalls

Thanks for the information MSPeconomist, I spoke to the CS agents and was told that they had formally initiated that process on Dec 5th and I should hear back something before next week.

iflyjetz

Silverfalls, G8orjenn, sorry to hear of your accounts being hacked. SPG will make things good after they complete their investigation; they always have as far as I've seen.

One program that I use to monitor my accounts (I have 19) is Award Wallet. It will show you very quickly whether or not your points have changed and it also tracks expiration dates. I updated early one Sunday and all of my Hilton points disappeared - I quickly found out (by reading FT threads) that this was very common with Hilton; don't know if they've fixed the glitch yet but my points showed up a few hours later.

Here's a link if you decide to go with Award Wallet that will allow you a free service upgrade: http://AwardWallet.com/?refCode=wqraisoqvf
I'm not trying to spam; you can find an Award Wallet upgrade conga line in the S.P.A.M. subforum if you prefer.

BenSenise

my fellow flyertalkers, please make sure you use strong passwords and don't use any password on more than one account. a strong password can be something like q]6b%WgfhX6oKv. Yes, it's a hassle but there are many password management apps out there for desktop and mobile OS, many of which will share your password file between your different devices. they can generate strong passwords for each account. I'm shocked to read how up to 50% of passwords on a site that gets hacked are things like "123456" or "password." and no, i'm not making that up.
Don't forget that if another site gets hacked and you've used the same email/password combo there, then the hackers can just waltz into any other account with the same combo. good security practices take effort but my guess is that it's a lot less effort, and headache, than trying to recoup your stolen points.

g8torjenn

I thought my password was pretty strong - letters, numbers and characters. I've never been hacked before, but I guess there's a first time for everything. I log into my accounts and check everything regularly. Hopefully they catch the guys, but I won't be holding my breath.

silverfalls

Thanks for the info iflyjetz, I have been tracking all my points through awardwallet for the last 4 yrs or so. No way I will remember to check all my 60+ accounts every day at-least once. First thing I do in the morning is check my mint and award wallet account before I do anything else. That's why I was able to complain to SPG within 3 hours from this happening. Thanks for the information once again.

silverfalls

My password was 17 characters that included all of the above that you mentioned. Still it was hacked, nothing is strong anymore in the net.

iflyjetz

^ Awesome. Award Wallet is a must-have for me.

Sweet Willie

AMEN !

I'd actually prefer the airline not cancel the ticket until the pax shows up, then pull them aside & get the full info on how they came to have that ticket.

Pressure needs to be applied to those who are the ones doing the hacking as well as those who are buying/using the hacked award/points.

BenSenise

good to know. they must have gotten it by means other than brute force attack.

maybe SPG should consider two-factor authentication. depending on your fraud figures, it could be a money saver. lurkers, can you mention this to the powers-that-be?

LIH Prem

I can't change it to 16 characters (letters and numbers) and have it remember it. I don't see how you are setting it to 17 characters including special characters. 12 characters, letters and numbers works for me. 16 characters does not. (And, no, I have not tried every combination of password sizes and combinations in between 12 and 16 or > 16 characters.)

I hate that part of their web site. There is no information about what they accept as a valid password on the page where you change your password and they allow you to set it to something you can't use to login, so you have to use the password reset procedure.

At least that's how it works with chrome, and when I've gone out of my way to point out other web site issues to their team, they argue about it with me. for example, try typing in Newark when you want Newark, California with chrome in one of the hotel search boxes not on the main page (ie, click hotels on one of the other pages to expose the hotel search bar on top of the page). Typing Newark followed by tab automatically fills in NJ in the state field, and changing NJ to CA in the state field erases the city name.

If you can set it to something > 12 characters, what browser are you using, and are you able to login with that password using chrome?

No idea why they won't fix this, 12 characters is a weak password and guess what? Peoples accounts are being hacked regularly.

-David

Canada101

I had an attempted hack which luckily I caught before anything could happen.

I received a strange email from SPG confirming that my password had been changed. The only thing is that I didn't initiate a password change. I quickly tried to log on and could not so I reset the password immediately since I was concerned whomever hacked my account would have also tried to change my email address.

After receiving my password reset email, I changed my password immediately and called my Ambassador who spoke to colleagues to ensure that my account was safe. In the end, she replied that the "web people" did not find any unusual activity. I did ask if IP addresses were logged.

I've been watching my account like a hawk ever since and I also changed every single account's password that I access online. Can't be too careful these days especially following reports that gmail, Yahoo and other email providers were recently hacked.

silverfalls

@David, On 29th Nov when I tried to change the password the maximum that I was able to use was 14 characters. I was issue Chrome, not sure if that's the maximum allowed now or its limited to chrome. I did not bother to check that. Also I had the same issue with American Express which did not allow more than 8 character until very recently.

TravelinSperry

If you're both using >12 character passwords with numbers, upper/lower case and special characters then the hacking didn't happen by brute force or guessing. Your password was more likely stolen from another website and then used here. 12 characters password with numbers, letters, upper/lower and special characters would take year to 'guess'. Too hard. They'd go after someone else. This means you used th same password elsewhere, which is a no no.

I use LastPass. One very strong password to remember. And then I can use the toughest unique passwords all around the web. I strongly advise everyone to use them or someone similar.

platbrownguy

My guess is the hacker installs a keylogger or otherwise monitors activity at something like the Sheraton Link computers where people are likely to access their SPG accounts. Then they log on, transfer the points to an airline account (also in your name), and use the miles to buy a ticket for someone else.

Even if that's not happening here, it's a good reminder not to use your passwords at public computers to the extent practicable.

csol47

My points are intact at the moment fortunately but I had a similar experience with an account I used a couple times to Western Union money to a friend. Odd thing is that I hadn't logged into that account in probably at least a year when it happened. There was also, more recently, a ticket processing company, walletini, that I used for a concert in Boston that had their user data compromised, so it is possible that this could be the result of a more sophisticated operation. Highly recommend changing passwords on any account in which the same one is used.