AwardWallet Hack
#46
Join Date: Sep 2012
Posts: 4,431
I'm shocked that someone with multiple FF and/or hotel accounts would use passwords like this.
#47
Join Date: May 2004
Posts: 253
You log the failed passwords from failed login attempts in a log in clear text? That's not something you should be able to see. What about successful attempts, are those passwords logged as well?
#48
Suspended
Join Date: Feb 2015
Location: The electrified part of North Carolina
Programs: UA GM, AA GM, DL GM
Posts: 4,157
For the FT members who have posted that their AW account was hacked, were you using "password" or "Password" as your account password, or was your password the same as your user name...?
#49
Company Representative - AwardWallet
Join Date: Oct 2007
Posts: 56
Yes as soon as we noticed what what happening we started logging everything from those IPs.
#51
Join Date: Aug 2013
Location: USA
Programs: IHG/Spire Amb., Hilton/Diamond, SPG/Gold, Marriott/Gold, AA/Plat, Southwest/CP
Posts: 270
I was also a victim of this hack, and admittedly, I had a VERY insecure password.
I was aware of the dangers of giving it access to my accounts. There's no way it would be able to use those passwords repeatedly to get your balances if they weren't stored in a plain text format that the system could use to login to check those balances. It was my fault for not changing my AW password to something more secure after I started adding those.
I appreciated that AW caught this quickly and notified me before any damage was done. Good on them.
I was aware of the dangers of giving it access to my accounts. There's no way it would be able to use those passwords repeatedly to get your balances if they weren't stored in a plain text format that the system could use to login to check those balances. It was my fault for not changing my AW password to something more secure after I started adding those.
I appreciated that AW caught this quickly and notified me before any damage was done. Good on them.
#52
Join Date: Jun 2004
Posts: 3,774
I was also a victim of this hack, and admittedly, I had a VERY insecure password.
I was aware of the dangers of giving it access to my accounts. There's no way it would be able to use those passwords repeatedly to get your balances if they weren't stored in a plain text format that the system could use to login to check those balances. It was my fault for not changing my AW password to something more secure after I started adding those.
I appreciated that AW caught this quickly and notified me before any damage was done. Good on them.
I was aware of the dangers of giving it access to my accounts. There's no way it would be able to use those passwords repeatedly to get your balances if they weren't stored in a plain text format that the system could use to login to check those balances. It was my fault for not changing my AW password to something more secure after I started adding those.
I appreciated that AW caught this quickly and notified me before any damage was done. Good on them.
One thing I wish AwardWallet had done was email all users that there had been a very limited security breach and suggesting that all users reinforce good password practice.
Had I not read this on FT, I would not have known and may have been the next victim. I understand why they may have only wished to notify the 250 affected account holders as they didn't want to generate massive panic, but I would have very much appreciated an approach of full disclosure so other potential victims would have time to take appropriate action to secure their accounts.
#53
Join Date: Sep 2004
Posts: 973
Has my award wallet account been hacked??
Today I received an email from award wallet advised changes to scheduled flight times for JL flight from ICN to NRT next March. Howevever I checked JAL website and AA website (I booked tickets thru AA) and there was no such changes!
Has anyone received such strange email?
Today I received an email from award wallet advised changes to scheduled flight times for JL flight from ICN to NRT next March. Howevever I checked JAL website and AA website (I booked tickets thru AA) and there was no such changes!
Has anyone received such strange email?
#54
Join Date: Apr 2001
Location: Austin
Programs: AA P4L, WN, BA, DL, UA, HHonors, IHG
Posts: 3,485
How to Turn Off 2-Factor Authentication?
A few weeks ago I turned on 2-factor in AW, but now I'd like to turn it back off. How can that be done?
ANSWER: Ten minutes before posting this, an email was sent to me from Award Wallet stating that 2-factor had been turned off. Does someone there have psychic powers??
ANSWER: Ten minutes before posting this, an email was sent to me from Award Wallet stating that 2-factor had been turned off. Does someone there have psychic powers??
Last edited by Middle_Seat; Jan 4, 2016 at 8:47 pm