Consolidated "Hilton Honors Account Hacked" thread
Apr 28, 2014 | 3:58 am
#16
Original Poster
Join Date: Dec 2000
Location: Orlando, FL, USA (MCO)
Programs: Hilton-Diamond, Virgin-Gold, BA-Silver
Posts: 21
I too called the Diamond desk to try and getting my credit card removed from my profile. The person I spoke with tried and tried from her end, putting me on hold a number of times to get help but also was never able to remove it. I'll try the trick of changing the expiration date next.
I really wish Hilton would take this issue more serious and fix this security hole.
I really wish Hilton would take this issue more serious and fix this security hole.
May 25, 2014 | 12:34 am
#17
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,337
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.
I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.
I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
Jul 8, 2014 | 4:25 pm
#19
Join Date: Apr 2005
Posts: 522
And since I've resurrected this issue, just wanted to add what my concern is -
I'm not worried about my credit card info because that's the one area where I'm protected. If there's ever a fraudulent charge on my AMEX or MC I'm not responsible for it, the credit card company will cover it.
However, what would happen if someone got into my account and took my points? I have a considerable balance and consider it as I do my other assets. But what protection would HH provide if someone was able to either transfer the points out of my account, or use them themselves for an award reservation?
I'm not worried about my credit card info because that's the one area where I'm protected. If there's ever a fraudulent charge on my AMEX or MC I'm not responsible for it, the credit card company will cover it.
However, what would happen if someone got into my account and took my points? I have a considerable balance and consider it as I do my other assets. But what protection would HH provide if someone was able to either transfer the points out of my account, or use them themselves for an award reservation?
Jul 8, 2014 | 5:11 pm
#20
Join Date: Nov 2013
Programs: HH Diamond, IHG Spire, Marriott Gold, AA Plat. Pro
Posts: 400
That truly is the biggest concern. Someone taking all your points.
No one can get your CC info from the account since it's hashed when you put it in (not hashed per se but turned into ***...hashing is a whole other deal and really how you should store passwords...salted hashes, slow hash, etc). You can only see the last 4 digits. You can see the expiration too which isn't great either.
No one can get your CC info from the account since it's hashed when you put it in (not hashed per se but turned into ***...hashing is a whole other deal and really how you should store passwords...salted hashes, slow hash, etc). You can only see the last 4 digits. You can see the expiration too which isn't great either.
Last edited by HansGruber; Jul 8, 2014 at 5:15 pm Reason: Clarified hashing
Jul 9, 2014 | 3:14 am
#21
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,337
It seems Hilton has some other serious security issues. I just got an email from Hilton about someone else's reservation! Or actually a "Your Requests Upon Arrival Order".
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.
I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
It came from [email protected] and includes this persons order for 2 Additional Down Filled Pillows at the Hilton Slussen in Stockholm. It has his name, his HHonors number and shows his tier as Gold. It also has his stay dates and confirmation number. I could cause this poor man a lot of trouble if I were a mischievous sort of person.
I stayed at the Hilton Slussen back in January, but other than that, I have zero connection with this person and his reservation. How in the heck did Hilton send this to my email address?
Jul 9, 2014 | 12:09 pm
#22
Company Representative - Honors by Hilton
Join Date: Aug 2009
Programs: Hilton Honors
Posts: 1,516
Sep 30, 2014 | 4:47 pm
#23
Join Date: Dec 2002
Location: SMF
Programs: AA EXP 4MM
Posts: 815
Hilton HHonors account hacked--should account number be changed?
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
Sep 30, 2014 | 8:53 pm
#24
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,955
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
Sep 30, 2014 | 9:07 pm
#25
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,864
It can't hurt to change the number, but depending on what you know of the circumstances of the hack, it might be more or less worth the time and hassle for you.
Oct 1, 2014 | 12:56 pm
#26
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,978
When I got the Hilton HHonors website I see it ask for:
Username or HHonors #
Password or PIN
In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!Password or PIN
So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).
But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.
(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
Oct 1, 2014 | 1:48 pm
#27
Join Date: Apr 2005
Posts: 522
My HHonors account was hacked on 9/28/14 and a large number of points were stolen. I discovered this on 9/29/14 and called and spoke to a Guest Services rep. I was given the phone number and order number for Maritz rewards and I was able to block the fulfillment of the fraudulent order. I will supposedly get the points back.
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
I asked the HHonors rep whether my account number should be changed (just as I would do if a credit card account was impaired). The rep did not think so but this doesn't really make sense to me. Of course changing the account number is a hassle because it is linked to credit cards, but still it would be more secure.
Anyone have any similar experience?
http://www.flyertalk.com/forum/hilto...la-lumpur.html
And on that thread you'll see I linked this thread, which unfortunately failed to prompt Hilton to rectify this situation:
http://www.flyertalk.com/forum/hilto...-security.html
When is Hilton going to address their website security issues? How many people need to have their accounts hacked before something's done!
(Your HH account number is easily "stolen": it appears on folios left in front of doors, it's on emails sent to easily hacked yahoo accounts, etc. And with your account number in hand all a hacker then needs to do is figure out a mere 4 digit pin number.)
Oct 1, 2014 | 7:11 pm
#28
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,955
Huh???
When I got the Hilton HHonors website I see it ask for:
So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).
But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.
(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
When I got the Hilton HHonors website I see it ask for:
Username or HHonors #
Password or PIN
In other words, if all you change is your username and password, but someone has your account number and PIN, they can still sign in with that!Password or PIN
So it seems to me the most someone can do (without changing their account number) is to change their 4-digit PIN (as well as their username and password, if they have those).
But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.
(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
Oct 1, 2014 | 7:40 pm
#29
Join Date: Jan 2009
Location: TUL
Programs: AA EXP 2MM; Marriott Titanium; Hilton Diamond; Vistana Chairman
Posts: 6,179
Huh???
. . .
But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.
(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
. . .
But that 4-digit PIN is the only thing stopping someone who knows your account number from logging into your account, as far as I can see.
(Delta is dropping the ability to log on with a PIN at the end of the year. But BA still has PIN sign-in too, as does IHG.)
Oct 1, 2014 | 11:05 pm
#30
Join Date: Jul 2009
Posts: 1
My Hilton HHonors account was also hacked on 9/29/14, and over 200,000 points were used for a merchandise purchase. I contacted guest services and the points were quickly returned to my account. Unfortunately, they also said that the account information should stay the same, because that would help the fraud protection department track down the culprit. Against my own best judgement, I agreed. Two days later, another 230,000 points are missing from my account. Guess it's time to spend another hour on the phone with guest services!