AwardWallet Hack
 

I just got an email that 250 award wallet accounts had been hacked including mine and that i need to change immediately all my passwords. I have about 75.

I am not certain that the email is from award wallet though it appears to be. Did anyone else get this?

Do you have access to the email header? I would suggest comparing the servers that sent it to other, normal emails from Award Wallet.

Yes it appears to be legitimate. I have tried to contact Awardwallet but no response.

Unfortunately yes, the email was legitimate. Here is exactly what we sent out to 250 users:

============
Today we have detected that a hacker tried accessing AwardWallet accounts using a brute-force method. Please note that we lock accounts whenever multiple invalid logon attempts happen; however the hacker was still able to login to about 250 accounts. There were different types of accounts compromised:

(1) accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) and

(2) accounts whose passwords were not unique to AwardWallet and were already compromised via different website, or passwords that were easily guessable, like abcd.

Unfortunately, your account was one of those 250 accounts. The hacker then was able to get all of your loyalty account usernames and passwords that you have stored in AwardWallet. This means that you need to change all those loyalty account passwords immediately to avoid the possibility of those accounts being compromised and you need to reset your AwardWallet password using this link:

https://awardwallet.com/?forgotPassword=1

Please set a unique password that you never used anywhere else and please make it complex.

We also suggest you login to all the loyalty accounts for which you have stored credentials on AwardWallet and see if there has been any unauthorized activity. We checked and as far as we see there were no deductions from any of the affected loyalty programs as a result of this issue. If there has been unauthorized activity, please contact the loyalty program to report the unauthorized activity but also please let us know and we will do what we can to help you recover your points/miles.

We sincerely apologize for this! Please also note that there is not much we can do to protect your account if you use a password that is either the same as your login name or if your password is not unique to AwardWallet. Hackers are very sophisticated and if there is any easy way to guess a password, they will guess it.

Finally, we strongly recommend you to enable two-factor authentication on your account:

https://awardwallet.com/faqs.php#44

As a courtesy, we’ve also upgraded your account to AwardWallet Plus for the next 12 months.

Oh boy, AW why would you display entered password to loyalty accounts? That is a serious security issue! There is absolutely no need for the user to see the passwords as they can be edited without knowing the current values and you can simply use the values from DB whenever your scripts require them. If an AW user's loyalty account is breached because a hacker looked as the html source where you printed plain text passwords, it is 100% on you!

Surely you should force users to use sensible passwords ?

Actually, password policies (esp shameful ones) are usually a dead give-away that a web doesn't employ proper password security. I'd say the best way is to use a library (e.g. zxcvbn) to indicate the strength of passwords back to the user. Is it then up to the user to secure their account properly.

However, AW her is solely responsible for the content users store. Printing back (into the html source) plain-text stored passwords is just unacceptable!

Thanks for posting!

Yep - both good recommendations, and poor practice on the part of Award Wallet. Enforce good passwords (the suggestion that this is a dead give-away of bad proper password security is ridiculous), and don't show saved passwords.

Every good site I know of that is an aggregator of other accounts (like Mint / Yodlee) stores the user's passwords in a hashed format so that even if hackers breached the DB they wouldn't see the plain password.

Luckily I have complex passwords on all sites, but I just deleted my Award Wallet account after this one - if they get this basic security wrong, what else are they missing?

I suggest everyone delete their account, this site is too risky given this basic breach. Also, the site doesn't even give correct updates / balances a lot of the time. I feel sorry for those that have to go change passwords on dozens of accounts due to this - I had 70 accounts stored in AW!

Shame on you Award Wallet / AwardWallet !

I know it's potentially a pain, but I still have AW store my passwords locally. If I lose my cookies, I've got some re-entry, but as far as I understand, I wouldn't be in bad shape that way if my account were hacked.

As the OP, I am about half way through changing my 75 passwords. Its a major pain. I sent AW a message asking to verify this and they verified and basically told me tough luck. I am cancelling them and recommend others do as well.

This is serious. How are they able to reassure the rest of us?

I am a heavy AwardWallet user myself. All of my own and my family's accounts are tracked there.

It's unfortunate that this happened, but fundamentally, this is a problem of weak password. Not much different than if you put sensitive information in dropbox and has a password of "1234" - someone could guess it and get all your information.

As a heavy user, I actually appreciate AwardWallet being proactive in notifying members about this. Some companies would have buried the news and played dumb. This notification shows that AwardWallet is concerned about user security more than their own reputation.

I think that as a victim of this, you should actually KEEP using AwardWallet.

They have already clarified that there was not a system weakness. Given that someone guessed your (weak?) password and got all your account information, I would say AwardWallet would be invaluable in tracking down rogue redemptions.

It is not feasible to monitor all your 75 account by hand. This is a job that AwardWallet shines at, even though it sucks that it was where the attacker guessed the password and got your information. AwardWallet also saved all your prior balances, so by continuing to use AwardWallet, you will get quick notification if any of your account balances changed.

I think for your own security, it makes sense to continue using AwardWallet at least for the next few months, until you are sure that there are no rogue redemption.

my account got hacked too, what a joke Award Wallet is. I have 73 Accounts and I am working all the day to change my passwords on that.
I will then cancell Award Wallet, thanks god all my mles are still there
had troubles with my Alaska and Iberia Accounts as they didnt recognized my passwords:(

Noone actually mentions if their password was really bulletproof and unique to Awardwallet or not...

Yes, but the fact that AwardWallet displays all stored passwords in plain text is a major system weakness. There is no reason to do this.

If the passwords were not displayed in plain text then a hack on AwardWallet accounts would not allow access to the account username/passwords of all accounts tracked within (except if the password for those is the same).

Ouch, I didn't know about it. I'm mainly using their iPhone app, and definitely not saving passwords in their database.

Sure it would - you'd just login in to AW, and have it log in to the loyalty account. To do that, you just click on the name of the travel company.

AwardWallet has a feature that logs into your site accounts for you automatically. Very handy. I use it often when I don't want to fuss with all the clicking.

The plaintext passwords are ordinarily masked. AwardWallet asks for your AW password as a double confirmation before showing them. Of course, if the user password is weak, then the double confirmation doesn't make it any more secure.

I think their major mistake was in allowing members to use weak passwords, but I wouldn't blame them on the system design or displaying plaintext password. Both of which appears to be secure, had the user chosen a reasonably strong password.

Bottomline - no system in the world is be safe if the user choses a weak password.

Hmm. I was just able to log in and disable two-factor, without needing my two-factor code.

Kinda defeats the purpose.

I wasn't one of the 250+ who got the email. Should I change all my passwords too? Or just my AW password?

for me I didnt had a weak Password and username.

change all passwords and cancell your membership, better to be on the save side than maybe lossing all your hard earned miles.

dont forget the massive Iberia and BA Accounts (mine of course too:(
hacked , back in March this year.
Which a lot of people think that Award Wallet was the source and got hacked .
Think twice before giving away your valuable passwords to a company we dont really know. I myself have learned my lession.

Interesting. Did you, by chance, have or had a password for AwardWallet that may have been shared with some other sites? Maybe one that you shared with BA?

easy Answer is NO , and I had different Passwords for all of my 73 Accounts stored with them.

If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.

The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.

Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.

Maybe, but most two-factor situations (certainly Google) require you to re-authenticate when doing things like lessening security, or changing passwords.

This is pretty insecure.

I would say that a failure to require users to set complex passwords is a clear system weakness.

Further comments have highlighted the lack of password re-entry requirement for the display of saved passwords - sounds to me like another system weakness.


I agree that AW can be incredibly useful. Maybe they should only operate on the "locally saved" password basis. Thankfully I set-up my AW account like that from the start :)

Agreed. While in some ways it is the users' responsibility to set a strong and unique password, knowing how many people don't observe proper password practice, AW should still make it a requirement to do so.

Just to clarify though, AW does force you to re-enter the master password before displaying your saved account password, so that part is secure.

If you use the same password on AW as elsewhere, and your password is stolen elsewhere, how is AW supposed to prevent/reassure you?

But allowing a password to equal your id is simply unacceptable - for both the user and the vendor.

You click on the account name in AW and it automatically logs you in. Not knowing the id/pwd isn't all that meaningful if you can get to the account anyway.

Anyone who uses simple passwords that can either be bruteforced or guessed or uses the same password for several websites digs his own grave ;)

Perhaps that feature too should be more secure. I only use AW to monitor the balances.

But I see no reason why AW should allow you to view your already entered password details in plain text. That means if your AW account is compromised (whether through brute force, known password, etc) ALL your FF account details are also compromised.

This time it may have only been 250 AW accounts (compromising possibly thousands of FF accounts), next time it could be all AW accounts and who knows how many FF accounts.

But to login you did need to use two-factor auth, so I don't think it defeat the purpose. On top of that, we also ask for your AwardWallet password to disable two-factor auth.

Neither. If your password is unique to AwardWallet and complex you have nothing to worry about. I would recommend turning on two-factor auth which we made available to anyone (AwardWallet Plus and Regular accounts).

You are exactly right, the passwords to loyalty accounts are all stored encrypted (not hashed) so that we can check the balances. Removing the option to to display the password in clear text (after you enter the password) or adding second factor auth in there would not make it more secure, we would also have to get rid of the auto-login feature to make it more secure. I also want to point out that if your password is unique to AwardWallet and complex you have nothing to worry about.

We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%

Thanks,
-Alexi

This is not true, you do have to re-enter your master AwardWallet password to see your loyalty account password.

FYI, the two-factor authentication used to be only available to AwardWallet Plus members, we removed this requirement and now two-factor authentication is available to anyone.

But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.

How can that be? He just said "On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.