AwardWallet Hack
 

I just got an email that 250 award wallet accounts had been hacked including mine and that i need to change immediately all my passwords. I have about 75.

I am not certain that the email is from award wallet though it appears to be. Did anyone else get this?

Do you have access to the email header? I would suggest comparing the servers that sent it to other, normal emails from Award Wallet.

Yes it appears to be legitimate. I have tried to contact Awardwallet but no response.

Unfortunately yes, the email was legitimate. Here is exactly what we sent out to 250 users:

============
Today we have detected that a hacker tried accessing AwardWallet accounts using a brute-force method. Please note that we lock accounts whenever multiple invalid logon attempts happen; however the hacker was still able to login to about 250 accounts. There were different types of accounts compromised:

(1) accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) and

(2) accounts whose passwords were not unique to AwardWallet and were already compromised via different website, or passwords that were easily guessable, like abcd.

Unfortunately, your account was one of those 250 accounts. The hacker then was able to get all of your loyalty account usernames and passwords that you have stored in AwardWallet. This means that you need to change all those loyalty account passwords immediately to avoid the possibility of those accounts being compromised and you need to reset your AwardWallet password using this link:

https://awardwallet.com/?forgotPassword=1

Please set a unique password that you never used anywhere else and please make it complex.

We also suggest you login to all the loyalty accounts for which you have stored credentials on AwardWallet and see if there has been any unauthorized activity. We checked and as far as we see there were no deductions from any of the affected loyalty programs as a result of this issue. If there has been unauthorized activity, please contact the loyalty program to report the unauthorized activity but also please let us know and we will do what we can to help you recover your points/miles.

We sincerely apologize for this! Please also note that there is not much we can do to protect your account if you use a password that is either the same as your login name or if your password is not unique to AwardWallet. Hackers are very sophisticated and if there is any easy way to guess a password, they will guess it.

Finally, we strongly recommend you to enable two-factor authentication on your account:

https://awardwallet.com/faqs.php#44

As a courtesy, we’ve also upgraded your account to AwardWallet Plus for the next 12 months.

Oh boy, AW why would you display entered password to loyalty accounts? That is a serious security issue! There is absolutely no need for the user to see the passwords as they can be edited without knowing the current values and you can simply use the values from DB whenever your scripts require them. If an AW user's loyalty account is breached because a hacker looked as the html source where you printed plain text passwords, it is 100% on you!

Surely you should force users to use sensible passwords ?

Actually, password policies (esp shameful ones) are usually a dead give-away that a web doesn't employ proper password security. I'd say the best way is to use a library (e.g. zxcvbn) to indicate the strength of passwords back to the user. Is it then up to the user to secure their account properly.

However, AW her is solely responsible for the content users store. Printing back (into the html source) plain-text stored passwords is just unacceptable!

Thanks for posting!

Yep - both good recommendations, and poor practice on the part of Award Wallet. Enforce good passwords (the suggestion that this is a dead give-away of bad proper password security is ridiculous), and don't show saved passwords.

Every good site I know of that is an aggregator of other accounts (like Mint / Yodlee) stores the user's passwords in a hashed format so that even if hackers breached the DB they wouldn't see the plain password.

Luckily I have complex passwords on all sites, but I just deleted my Award Wallet account after this one - if they get this basic security wrong, what else are they missing?

I suggest everyone delete their account, this site is too risky given this basic breach. Also, the site doesn't even give correct updates / balances a lot of the time. I feel sorry for those that have to go change passwords on dozens of accounts due to this - I had 70 accounts stored in AW!

Shame on you Award Wallet / AwardWallet !

I know it's potentially a pain, but I still have AW store my passwords locally. If I lose my cookies, I've got some re-entry, but as far as I understand, I wouldn't be in bad shape that way if my account were hacked.

As the OP, I am about half way through changing my 75 passwords. Its a major pain. I sent AW a message asking to verify this and they verified and basically told me tough luck. I am cancelling them and recommend others do as well.

This is serious. How are they able to reassure the rest of us?

I am a heavy AwardWallet user myself. All of my own and my family's accounts are tracked there.

It's unfortunate that this happened, but fundamentally, this is a problem of weak password. Not much different than if you put sensitive information in dropbox and has a password of "1234" - someone could guess it and get all your information.

As a heavy user, I actually appreciate AwardWallet being proactive in notifying members about this. Some companies would have buried the news and played dumb. This notification shows that AwardWallet is concerned about user security more than their own reputation.

I think that as a victim of this, you should actually KEEP using AwardWallet.

They have already clarified that there was not a system weakness. Given that someone guessed your (weak?) password and got all your account information, I would say AwardWallet would be invaluable in tracking down rogue redemptions.

It is not feasible to monitor all your 75 account by hand. This is a job that AwardWallet shines at, even though it sucks that it was where the attacker guessed the password and got your information. AwardWallet also saved all your prior balances, so by continuing to use AwardWallet, you will get quick notification if any of your account balances changed.

I think for your own security, it makes sense to continue using AwardWallet at least for the next few months, until you are sure that there are no rogue redemption.

my account got hacked too, what a joke Award Wallet is. I have 73 Accounts and I am working all the day to change my passwords on that.
I will then cancell Award Wallet, thanks god all my mles are still there
had troubles with my Alaska and Iberia Accounts as they didnt recognized my passwords:(

Noone actually mentions if their password was really bulletproof and unique to Awardwallet or not...

Yes, but the fact that AwardWallet displays all stored passwords in plain text is a major system weakness. There is no reason to do this.

If the passwords were not displayed in plain text then a hack on AwardWallet accounts would not allow access to the account username/passwords of all accounts tracked within (except if the password for those is the same).