My SPG Account Got Hacked
Aug 17, 2013, 12:34 pm
#1
Original Poster
Join Date: Jul 2012
Posts: 31
My SPG Account Got Hacked
I received an email from SPG stating I recently changed my email address. But since I had not done any such thing, I immediately tried to login into my SPG account but could not as the hacker had changed the username and password onto the account. The hacker's email address was <aname>@bartender.net
I then called in the customer service and they told me that I had transferred all my points to Air Canada. I told them that I did not do any such thing. After validating my personal information, they helped me reset my username and password and also reversed all unauthorized activity on my account. Thank You SPG for all your help!
Whom and How should I complain about this case? Do I have make a police complaint so that this hacker gets arrested? They can easily pursue him by following his above email address.
All others please be aware that after bank and brokerage accounts, miles and points accounts are hackers new target.
I then called in the customer service and they told me that I had transferred all my points to Air Canada. I told them that I did not do any such thing. After validating my personal information, they helped me reset my username and password and also reversed all unauthorized activity on my account. Thank You SPG for all your help!
Whom and How should I complain about this case? Do I have make a police complaint so that this hacker gets arrested? They can easily pursue him by following his above email address.
All others please be aware that after bank and brokerage accounts, miles and points accounts are hackers new target.
Last edited by Oxon Flyer; Aug 18, 2013 at 7:18 am Reason: addln question. Mod edit : remove email address
Aug 17, 2013, 12:51 pm
#2
Suspended
Join Date: May 2012
Posts: 1,593
I don't understand how your account could have been hacked and the transfer to be completed
you can change the email address but not your name in your account
and a transfer can be completed only when names are matching on SPG and the recipient account
you can change the email address but not your name in your account
and a transfer can be completed only when names are matching on SPG and the recipient account
Aug 17, 2013, 1:38 pm
#4
Join Date: Nov 2011
Location: Singapore
Programs: Hyatt diamond, SPG Plat, Accor Gold
Posts: 128
Thanks for the heads up! I will be more vigilant and check for spg based phising mails as well as not log into my SPG account from hotel computers just in case they might be compromised....
Aug 17, 2013, 5:30 pm
#5
Join Date: Mar 2007
Posts: 3,990
One of the perils of the Internet, I'm afraid. My Yahoo account got hacked last year.
Good service recovery by SPG though.
Cheers,
Good service recovery by SPG though.
Cheers,
Aug 17, 2013, 6:11 pm
#6
Join Date: Feb 2013
Location: Miami, FL
Programs: UA 1MM, AA Plat, Marriott LT Titanium, Hyatt Glob, IHG ♢ Amb, Hilton ♢, Hertz Pres
Posts: 6,018
Agreed Flews. And thanks OP, I just increased the difficulty of my password. I use LastPass so there is no reason to have insecure passwords. SPG was an older less secure password I had before I started using LP. Good reminder. I'd hate to lose all my points!
Aug 17, 2013, 6:56 pm
#7
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
OP, please report it to: http://www.ic3.gov/default.aspx That's probably our best shot at something being done.
Marriott has had issues with hacking recently: http://www.flyertalk.com/forum/marri...ts-hacked.html
I use AwardWallet.com to monitor all of my accounts.
I'm disappointed that a mod redacted the email address.
Marriott has had issues with hacking recently: http://www.flyertalk.com/forum/marri...ts-hacked.html
I use AwardWallet.com to monitor all of my accounts.
I'm disappointed that a mod redacted the email address.
Aug 18, 2013, 1:46 am
#8
Original Poster
Join Date: Jul 2012
Posts: 31
Thanks Guys, I will file a complaint with ic3.gov.
And Yes good service by SPG But I had to involve a CS Manager to get it done. The CS Agent initially wanted me to send an email to <non-published email address redacted>.
Also please note that the Hacker had also changed the USERNAME on the account.
Now I am changing password on all my accounts.
What I don't know is how they got the password of my account? My PC always has AntiVirus, Spyware and Antispam installed.
Also the intention of posting on the forum is to figure out whether this was an isolated case or more wide spread as it happened recently with Marriott Rewards.
And Yes good service by SPG But I had to involve a CS Manager to get it done. The CS Agent initially wanted me to send an email to <non-published email address redacted>.
Also please note that the Hacker had also changed the USERNAME on the account.
Now I am changing password on all my accounts.
What I don't know is how they got the password of my account? My PC always has AntiVirus, Spyware and Antispam installed.
Also the intention of posting on the forum is to figure out whether this was an isolated case or more wide spread as it happened recently with Marriott Rewards.
Last edited by AZ Travels the World; Aug 20, 2013 at 11:11 am Reason: Remove unpublished email address
Aug 18, 2013, 6:37 am
#9
Join Date: Aug 2010
Programs: MR LT Titanium, SPG LT Plat & Plat 100, SWA A+ & CP
Posts: 1,093
1. Did you access your account from a public computer? Maybe you forgot to close it down.
2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.
By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.
By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
Aug 18, 2013, 7:17 am
#10
Moderator: British Airways Executive Club, Marriott Bonvoy
Join Date: May 2006
Location: Englandshire
Programs: SPG LT Plat, BA G, BD*LG, MG Blue+ ...
Posts: 16,033
We're aware of the sensitivities on this one : for all we know, the hacker's quoted email address may well, in itself, be a hacked email account, so on balance it's probably best not to publish it.
I've edited the OP and added back the domain.
/mod
I've edited the OP and added back the domain.
/mod
Aug 18, 2013, 10:35 am
#11
Join Date: May 2012
Location: SIN
Programs: JL GC | Marriott LT Silver | Global Entry | SQ Silver
Posts: 6,819
1. Did you access your account from a public computer? Maybe you forgot to close it down.
2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.
By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
2. Is it possible it could be an inside job? When you call SPG, they often ask for your password. It would be very easy for you account to be compromised that way.
By the way, on the above, can you have two passwords? One you use for verbal confirmation and another to log in.
Nov 4, 2013, 2:59 pm
#12
Join Date: Feb 2007
Posts: 17
Identical thing happened to me this weekend. All points were cleared out to Air Canada. I do not share account credentials with anybody and have fairly strong passwords. I am surprised how they could transfer points to miles without the name matching - I do not have an Air Canada account. I think this points to a loophole that involves Air Canada that is being exploited.
Nov 4, 2013, 3:10 pm
#13
Original Member
Join Date: May 1998
Location: NJ
Posts: 3,335
Glad it has not happened to me, but here is what I suspect is going on.
Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.
Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.
Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).
As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.
Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.
Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).
As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
Nov 4, 2013, 4:42 pm
#15
Join Date: Nov 2010
Location: KSA
Programs: Marriott AMB, Skywards Gold
Posts: 3,737
Glad it has not happened to me, but here is what I suspect is going on.
Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.
Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.
Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).
As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
Thief decides to steal your SPG points. Sets up an Air Canada account with YOUR name, and phony address.
Hacks your account, changes email address, password to prevent you from getting into account, transfers the points to miles in the phony AC account.
Once in the account, the miles are used for a ticket for a "friend" -- the real identity of the thief (or his friends or relatives, or people he is selling the tickets to).
As far as I know, none of the airlines even require that the CC used to pay for the taxes, fees, etc. on a FF ticket even be in the name of the person who holds the account. (Witness all the postings regarding using a dead relative's account.)
