My SPG Account Got Hacked
#121
FlyerTalk Evangelist
Join Date: Apr 2009
Location: India
Programs: Bonvoy Lifetime Titanium, IHG Plat, HH Gold, Trident Plat, DL Diamond, AI Maharajah
Posts: 29,673
#122
Join Date: Dec 2006
Location: BUE
Programs: AAdvantage, Onepass, Lifemiles, SPG, Marriott. LANPASS s*cks.
Posts: 598
Did you access your email from a public computer? Did you use your Credit card in a public computer? Dd you run an Antivirus on your own computer?
#123
 
Join Date: Nov 2000
Location: Upcountry Maui, HI
Posts: 13,305
No idea if Starwood will officially acknowledge or tell us what the issue was when they figure it out on their end. Though they should say something, if only to alleviate their members concerns about their own internal security.
-David
#124
Join Date: Jul 2003
Location: CT/ Germany - Ich spreche deutsch
Programs: UA 1K, Bonvoy LTTE, HH Dia, HY Expl
Posts: 4,657
Credit Card on public computer - ABSOLUTELY not
Antivirus on home computer - Yes
#125
Join Date: Dec 2013
Location: 32.7758° N, 96.7967° W
Programs: AA EXP,SPG 75
Posts: 318
All possible, but a lot of conjecture, and given that several people are reporting the same issue, same behavior, it's very unlikely IMHO.
No idea if Starwood will officially acknowledge or tell us what the issue was when they figure it out on their end. Though they should say something, if only to alleviate their members concerns about their own internal security.
-David
No idea if Starwood will officially acknowledge or tell us what the issue was when they figure it out on their end. Though they should say something, if only to alleviate their members concerns about their own internal security.
-David
As for the similar sounding stories about SPG accounts being accessed it could be that some criminal organization has decided to target reward accounts. I find it very unlikely SPG had a large scale breach as this thread would have a zillion postings by now.
Hate to tell you anti virus does not have a 100% protection rate.
#126
Join Date: Dec 2013
Location: 32.7758° N, 96.7967° W
Programs: AA EXP,SPG 75
Posts: 318
A gaping hole SPG (and AA,Delta,Hyatt,Hilton, etc...) could implement is some two factor authentication on their websites/mobile apps like Google, Twitter and Facebook. The two factor could apply to any new IP/machine trying to access the SPG website and the authentication code could work through sms, email, authy or google authenticator.
#127
Join Date: Aug 2002
Location: YYZ
Programs: BA Gold/Marriott Gold/HH Diamond/IC Plat Amba
Posts: 5,989
As far as Etihad goes perhaps SPG should put some sort of delay into actually transferring the points. Somehow on Etihad it must be easier to obtain a reward airline ticket without using a credit card for other charges. Perhaps there is something to be said about the likes of BA charging 4 figures in scamcharges for a reward.
#128
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,134
#129
Join Date: Aug 2002
Location: YYZ
Programs: BA Gold/Marriott Gold/HH Diamond/IC Plat Amba
Posts: 5,989
#130
Join Date: Aug 2009
Location: SYD
Programs: QF WP (OWE), VA PLAT, EY GLD, SPG PLAT, Hyatt DIA, Hilton DIA, Hertz PC
Posts: 8,527
Just because the scammers are using EY, does not make them responsible.
It's your SPG account that got hacked, not your EY account.
It's your SPG account that got hacked, not your EY account.
#131
Join Date: Dec 2013
Location: 32.7758° N, 96.7967° W
Programs: AA EXP,SPG 75
Posts: 318
No one is saying they are responsible. However EY is most certainly feeling some headache having to investigate these fraud claims. It is in their best interest to tighten up.
#133
Moderator: Mileage Run, InterContinental Hotels
Join Date: May 2004
Posts: 5,914
"Your SPG Account has been Updated"
I awoke to two email messages from SPG telling me that my email address and credit card number had been updated. I made no such update, and in fact, when logging into my account, it reflects no updates.
Is this a glitch, or reason for concern? As a precaution, I changed my password -- anything else?
Is this a glitch, or reason for concern? As a precaution, I changed my password -- anything else?
#134
Company Representative - Starwood
Join Date: Nov 2000
Location: Austin, Texas
Programs: Marriott Employee Level
Posts: 31,593
Best regards,
William R. Sanders
Social Media Specialist
Starwood Hotels & Resorts Worldwide, Inc.
[email protected]
#135
Join Date: May 2011
Programs: AA, SPG, HERTZ, BA, UA, CO, JB
Posts: 289
I didn't see this thread until now. Mine was hacked on 1/4/14 with 60k points + bonus transferred out to Etihad Airline. After further inquiries, the person/entity created an account under my name at Etihad before making the transfer. The account was created under my name with the wrong birthdate. I caught it immediately and contacted Lurker. SPG asked me to create a new account and have all the points transferred over.
So it looks like the main two transfer partners that they picked was Etihad and Air Canada. My Amex SPG was compromised I think 3 years ago and have been having problems with Amex cards a few times since. One of my Citi cards and my Discover cash back balance was also compromised as well in between along with a Fedex account and a stamps.com account. Not sure where the security breach is though. I've changed passwords pretty consistently so I think the hackers used my information to gain access to these accounts rather than actual passwords.
So it looks like the main two transfer partners that they picked was Etihad and Air Canada. My Amex SPG was compromised I think 3 years ago and have been having problems with Amex cards a few times since. One of my Citi cards and my Discover cash back balance was also compromised as well in between along with a Fedex account and a stamps.com account. Not sure where the security breach is though. I've changed passwords pretty consistently so I think the hackers used my information to gain access to these accounts rather than actual passwords.