My SPG Account Got Hacked

Closed Thread

Old Aug 17, 13, 1:34 pm
  #1  
Original Poster
 
Join Date: Jul 2012
Posts: 31
My SPG Account Got Hacked

I received an email from SPG stating I recently changed my email address. But since I had not done any such thing, I immediately tried to login into my SPG account but could not as the hacker had changed the username and password onto the account. The hacker's email address was <aname>@bartender.net

I then called in the customer service and they told me that I had transferred all my points to Air Canada. I told them that I did not do any such thing. After validating my personal information, they helped me reset my username and password and also reversed all unauthorized activity on my account. Thank You SPG for all your help!

Whom and How should I complain about this case? Do I have make a police complaint so that this hacker gets arrested? They can easily pursue him by following his above email address.

All others please be aware that after bank and brokerage accounts, miles and points accounts are hackers new target.

Last edited by Oxon Flyer; Aug 18, 13 at 8:18 am Reason: addln question. Mod edit : remove email address
tinystarr is offline  
Old Aug 17, 13, 1:51 pm
  #2  
 
Join Date: May 2012
Posts: 792
I don't understand how your account could have been hacked and the transfer to be completed

you can change the email address but not your name in your account

and a transfer can be completed only when names are matching on SPG and the recipient account
macaron95 is offline  
Old Aug 17, 13, 2:01 pm
  #3  
 
Join Date: Mar 2008
Posts: 4,841
Originally Posted by macaron95 View Post
and a transfer can be completed only when names are matching on SPG and the recipient account
Having access to someones SPG credentials, someone could have easily made an recipient account to measure.
I know, I could be a Bond villain.
Lack is offline  
Old Aug 17, 13, 2:38 pm
  #4  
 
Join Date: Nov 2011
Location: Singapore
Programs: Hyatt diamond, SPG Plat, Accor Gold
Posts: 128
Thanks for the heads up! I will be more vigilant and check for spg based phising mails as well as not log into my SPG account from hotel computers just in case they might be compromised....
DurandilToss is offline  
Old Aug 17, 13, 6:30 pm
  #5  
 
Join Date: Mar 2007
Posts: 3,987
One of the perils of the Internet, I'm afraid. My Yahoo account got hacked last year.

Good service recovery by SPG though.

Cheers,
Flews is offline  
Old Aug 17, 13, 7:11 pm
  #6  
 
Join Date: Feb 2013
Location: Miami, FL
Programs: UA 1MM, Marriott LT PPE, Hilton ♢, Hyatt Disc, IHG Plat, Radisson Gold, Hertz PC
Posts: 4,333
Originally Posted by Flews View Post
One of the perils of the Internet, I'm afraid. My Yahoo account got hacked last year.

Good service recovery by SPG though.

Cheers,
Agreed Flews. And thanks OP, I just increased the difficulty of my password. I use LastPass so there is no reason to have insecure passwords. SPG was an older less secure password I had before I started using LP. Good reminder. I'd hate to lose all my points!
TravelinSperry is offline  
Old Aug 17, 13, 7:56 pm
  #7  
 
Join Date: Jul 2001
Programs: Marriott LT PP; IHG Plat; Hyatt Explorist; Hilton, Hertz Gold
Posts: 4,763
OP, please report it to: http://www.ic3.gov/default.aspx That's probably our best shot at something being done.

Marriott has had issues with hacking recently: http://www.flyertalk.com/forum/marri...ts-hacked.html

I use AwardWallet.com to monitor all of my accounts.

I'm disappointed that a mod redacted the email address.
iflyjetz is offline  
Old Aug 18, 13, 2:46 am
  #8  
Original Poster
 
Join Date: Jul 2012
Posts: 31
Thanks Guys, I will file a complaint with ic3.gov.

And Yes good service by SPG But I had to involve a CS Manager to get it done. The CS Agent initially wanted me to send an email to <non-published email address redacted>.

Also please note that the Hacker had also changed the USERNAME on the account.

Now I am changing password on all my accounts.

What I don't know is how they got the password of my account? My PC always has AntiVirus, Spyware and Antispam installed.

Also the intention of posting on the forum is to figure out whether this was an isolated case or more wide spread as it happened recently with Marriott Rewards.

Last edited by AZ Travels the World; Aug 20, 13 at 12:11 pm Reason: Remove unpublished email address
tinystarr is offline  
Old Aug 18, 13, 7:37 am
  #9  
 
Join Date: Aug 2010
Programs: SPG LT Plat & Plat 100, SWA A+ & CP
Posts: 1,060
1. Did you access your account from a public computer? Maybe you forgot to close it down.

2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.

By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
jb3t is offline  
Old Aug 18, 13, 8:17 am
  #10  
Moderator: British Airways Executive Club, Marriott Bonvoy
 
Join Date: May 2006
Location: Englandshire
Programs: SPG LT Plat, BA G, BD*LG, MG Blue+ ...
Posts: 11,075
Originally Posted by iflyjetz View Post
I'm disappointed that a mod redacted the email address.
We're aware of the sensitivities on this one : for all we know, the hacker's quoted email address may well, in itself, be a hacked email account, so on balance it's probably best not to publish it.

I've edited the OP and added back the domain.

/mod
Oxon Flyer is offline  
Old Aug 18, 13, 11:35 am
  #11  
 
Join Date: May 2012
Location: Singapore
Programs: JL Premier | SPG Platinum | GE, TSA-Pre
Posts: 6,636
Originally Posted by jb3t View Post
1. Did you access your account from a public computer? Maybe you forgot to close it down.

2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.

By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
There is a verification password which you can setup. I setup mine with an online chat agent. It is used when they require your authorization for an SPG50 rate or something like that.
lcpteck is offline  
Old Nov 4, 13, 3:59 pm
  #12  
 
Join Date: Feb 2007
Posts: 17
Identical thing happened to me this weekend. All points were cleared out to Air Canada. I do not share account credentials with anybody and have fairly strong passwords. I am surprised how they could transfer points to miles without the name matching - I do not have an Air Canada account. I think this points to a loophole that involves Air Canada that is being exploited.
mojoshtudd is offline  
Old Nov 4, 13, 4:10 pm
  #13  
Original Member
 
Join Date: May 1998
Location: NJ
Posts: 3,304
Glad it has not happened to me, but here is what I suspect is going on.

Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.

Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.

Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).

As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
Djlawman is offline  
Old Nov 4, 13, 4:28 pm
  #14  
 
Join Date: Aug 2002
Location: SoCal
Posts: 676
Originally Posted by Flews View Post
One of the perils of the Internet, I'm afraid.

Good service recovery by SPG though.

Cheers,
+1. Absolutely good service recovery.
Crazy4Birds is offline  
Old Nov 4, 13, 5:42 pm
  #15  
 
Join Date: Nov 2010
Location: SFO
Programs: SPG Plat, BA Executive Gold, Skywards Silver
Posts: 2,949
Originally Posted by Djlawman View Post
Glad it has not happened to me, but here is what I suspect is going on.

Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.

Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.

Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).

As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
Have we done this before?
LovetoTravel83 is offline  

Thread Tools
Search this Thread
 
  • Ask a Question
    Get answers from community experts
Question Title:
Description:
Your question will be posted in: