Last Saturday I had a few idle minutes and decided to clear out the junk email under the Promotions tab on my Gmail account. It was lucky I did, because I found an email from Hilton telling me that there was points redemption activity on my account:
I knew immediately that something was wrong. I hadn’t booked a points stay with Hilton since last May. I logged onto my Hilton account to see what was going on. There I found that someone had used 60K of my points to book the Hilton Chicago for that night. I tried to cancel the stay, but the system told me that the time window for cancellation was over.
Hack 1: 60K Points Stolen
I was sure that my account had been hacked. I checked my account details to see if the hacker had changed my email address, home address, or phone number. No, it was all there with my original info. I quickly deleted the stored credit cards, just in case. And I updated my password for good measure.
I called Hilton’s customer care line and told them what happened. The agent asked for the reservations confirmation number, which I gave her. Then, before she could proceed with the call, she asked me for my email address in order to confirm my identity. She said, no, that didn’t match. Then she asked for my phone number. Again, it didn’t match. It turned out that she was looking at the email address and phone number on the reservation rather than on my account. The points thief had put a different phone number on the reservation (I don’t know for sure that it was a guy, but that’s what I imagined), along with an email address that looked a lot like mine, but wasn’t.
After verifying my identity against the info stored in my account, the agent put me on hold to investigate. When she returned to the line she said that the booking had been made by phone. She said that the Hilton employee who took the reservation had gone against procedure and would be re-trained. They should have sent an email verification to me first before agreeing to put a different email on the reservation. Plus, they should have sent a copy of the booking details to the email address on the account, but it was only sent to the email address on the reservation. It was lucky that Hilton had sent me the point redemption verification email!
The phone agent was able to work with the hotel directly to cancel the reservation and return my points. All was well again. Or so I thought…
Hack 2: 280K Points Stolen
The next few days were busy and I didn’t check the Promotions tab in Gmail at all. That was a mistake. On Tuesday, I was sitting in the DCA Delta SkyClub about to return home from a short trip when a message popped up on my phone saying that it was time to check in to the Hilton Chicago O’Hare Airport.
Wait, what?! This points thief loves Chicago.
I tried and failed to log into my Hilton account to see what was going on. Oh, crap…
A bit frantic, I called Hilton Customer Care. This time the email on my account didn’t match. Neither did the phone number. The jerk had somehow changed all of the contact info on my account. While the first phone agent stayed on the line, I was transferred to a special security department to verify my account. Luckily they were able to verify me… eventually. The security guy was also able to fix my email address and reset my password. Now I was able to get back into the account. Once there, I restored my phone number to the account.
Now that I could get into my account, I could see that 280,000 points were missing. There was no indication though of what was done with those points. Nothing was shown under reservations or under “all points activity”. Back now on the phone with the original agent, she opened a ticket to investigate the incident and to hopefully restore my points. She also froze my account so that points can no longer be used until the investigation is completed.
Waiting for resolution
Now I’m waiting. I’m waiting for my points to be restored and hopefully for Hilton to improve their security so that it can’t happen again. The latter is most important in the long run. With all of the data breaches that have happened, our personal information is out there. There’s no putting that genie back in the bottle. And as long as phone agents grant access to accounts by verifying who you are with that same personal information, it’s all too easy for thieves to do what they did here.
While I wait, I’ve been refreshing my AwardWallet account balances daily. Some programs are even more lax with account security. Those can be hit any time as well!
I just had 605,000 points stolen and used by some criminal through Amazon. Amazon says there is nothing they can do. I didn’t see the email that my points had been “redeemed” and that “my account” had been linked to Amazon until the following day so no it’s too late. When Hilton sent the email, I should have had 24 hours or some amount of time to approve the points redemption. I am very upset.
[…] than a month ago I reported: My Hilton account was hacked… Twice. My account hadn’t initially been hacked the traditional way. That is, no one had hacked […]
glad its not just me –
someone hacked into my account twice on march 28th – no points used – they are investigating….
[…] Be careful out there with your Hilton Honors accounts, wow! My Hilton account was hacked…twice. […]
Did anyone suggest calling the police so that they could go pick up the thief at the hotel?
I hope that Hilton’s security team did something like that, but if they did they didn’t inform me about it.
I’ve had my IHG hacked. All the points drained. IHG restored them in about a week. I can’t believe IHG just requires a 4 digit PIN. Security from the 1980’s.
Get a password manager if you don’t use one already. I took the plunge with LastPass (free) a few weeks ago and wish I had done this years ago. My Hilton password is a completely unique string of characters crazy long. It works great on my browser and phone. Big fan and I’m way more secure now.
I’ve been using LastPass for a while. It’s great. I don’t believe my password was hacked. I think that the hacker called Hilton and pretended to be me.
I had my Hilton account hacked also and the points were transferred toAmazon. Spoke to the agent at Hilton for quite a while on the phone she informed me that they’ve had countless issues with hacked accounts related to Amazon. She was unsure of what the reason was but has been very common lately
If you can see the reservation they made …. why don’t you just go the hotel and have security take them down? Do this on video and post it here. Would be quite a post.
Good call my Doctor’s wife is a lawyer her brother an FBI agent who she called .They arrested the hacker @ a hotel I bet a $10 Fine ..
CHEERS
I had my IHG account hacked recently. Takes forever to restore points.
I’m still amazed that IHG uses a simple four digit numeric code for their security.
just a helpful tip, the problem might be with award wallet. you have no one else but to blame yourself if you use third party vendors to track your miles and points. It’s the lazy and vulnerable way of managing your miles and points balances.
Steve
I agree my one doctor wanted my SS number and current Ins .Why I pay cash because my ins. doesn’t ever pay for his office visits .
CHEERs
In my hack, the hackers also had my email passwords and were able to set up filters to forward anything with certain keywords (like Hilton, Delta, redemption, password, confirmation, etc.) to my trash so it would bypass my inbox, delaying my response.
So also check your trash periodically for unread emails and check for filters/rules on your accounts.
You don’t realize how many passwords you have until you need to change ALL of them!
If the hackers can get into Equifax, Hilton’s data should be small potatoes for them! Thanks for the warning to always be on the look-out. I also wonder if storing your cc info with your account info may have something to do with this….
This is a good time for a little reminder. The internet is not your friend. If you’re active with points, miles and travel, it’s VITAL that you keep an eye on everything, all the time. And if there has been negative activity on one of your accounts, assume that it will happen again and be extra careful. This seems obvious, but life gets in the way and time does fly by. The very LEAST you need to do is read any emails from any of “your” travel providers … immediately. I use the first hour of my workday to review my emails while drinking a big glass of water. Everybody should drink more water, right? It’s become a habit and even if I should be doing something else, I want my water, that’s my signal to have a look at my in-boxes.
Thank Greg for sharing this scary experience! I started miles/points hobby 2 years ago and this is a wake up call!
A couple of months ago, I was randomly checking my Marriott Account and noticed a pop up to check in to a hotel in the Boston area that I didn’t make. It was for two rooms and one night. It was a cash reservation and I didn’t want to get charged for it. So I called Marriott and the operator told me it was for someone with a different name. I told them that my name on my account didn’t match the name on the reservation. So they called the Hotel and then I was told the hotel made a mistake. They made the correction immediately and I was able to very the correction on my computer while on the phone.
I checked my Marriott account again the day after the stay and they credit my account with points for that person’s stay. Nothing bad happened to my account and I still have those points. I just left at that.
I gained a few thousand points with no harm done, but it was a scary experience and gets me thinking about what could go wrong.
Thank you Greg!!