My Hilton account was hacked… Twice.

49

Last Saturday I had a few idle minutes and decided to clear out the junk email under the Promotions tab on my Gmail account.  It was lucky I did, because I found an email from Hilton telling me that there was points redemption activity on my account:

I knew immediately that something was wrong.  I hadn’t booked a points stay with Hilton since last May.  I logged onto my Hilton account to see what was going on.  There I found that someone had used 60K of my points to book the Hilton Chicago for that night.  I tried to cancel the stay, but the system told me that the time window for cancellation was over.

Hack 1: 60K Points Stolen

I was sure that my account had been hacked.  I checked my account details to see if the hacker had changed my email address, home address, or phone number.  No, it was all there with my original info.  I quickly deleted the stored credit cards, just in case.  And I updated my password for good measure.

I called Hilton’s customer care line and told them what happened.  The agent asked for the reservations confirmation number, which I gave her.  Then, before she could proceed with the call, she asked me for my email address in order to confirm my identity.  She said, no, that didn’t match.  Then she asked for my phone number.  Again, it didn’t match.  It turned out that she was looking at the email address and phone number on the reservation rather than on my account.  The points thief had put a different phone number on the reservation (I don’t know for sure that it was a guy, but that’s what I imagined), along with an email address that looked a lot like mine, but wasn’t.

After verifying my identity against the info stored in my account, the agent put me on hold to investigate.  When she returned to the line she said that the booking had been made by phone.  She said that the Hilton employee who took the reservation had gone against procedure and would be re-trained. They should have sent an email verification to me first before agreeing to put a different email on the reservation.  Plus, they should have sent a copy of the booking details to the email address on the account, but it was only sent to the email address on the reservation.  It was lucky that Hilton had sent me the point redemption verification email!

The phone agent was able to work with the hotel directly to cancel the reservation and return my points.  All was well again.  Or so I thought…

Hack 2: 280K Points Stolen

The next few days were busy and I didn’t check the Promotions tab in Gmail at all.  That was a mistake.  On Tuesday, I was sitting in the DCA Delta SkyClub about to return home from a short trip when a message popped up on my phone saying that it was time to check in to the Hilton Chicago O’Hare Airport.

Wait, what?!  This points thief loves Chicago.

I tried and failed to log into my Hilton account to see what was going on.  Oh, crap…

A bit frantic, I called Hilton Customer Care.  This time the email on my account didn’t match.  Neither did the phone number.  The jerk had somehow changed all of the contact info on my account.  While the first phone agent stayed on the line, I was transferred to a special security department to verify my account.  Luckily they were able to verify me… eventually.  The security guy was also able to fix my email address and reset my password.  Now I was able to get back into the account.  Once there, I restored my phone number to the account.

Now that I could get into my account, I could see that 280,000 points were missing.  There was no indication though of what was done with those points.  Nothing was shown under reservations or under “all points activity”.  Back now on the phone with the original agent, she opened a ticket to investigate the incident and to hopefully restore my points.  She also froze my account so that points can no longer be used until the investigation is completed.

Waiting for resolution

Now I’m waiting.  I’m waiting for my points to be restored and hopefully for Hilton to improve their security so that it can’t happen again.  The latter is most important in the long run.  With all of the data breaches that have happened, our personal information is out there.  There’s no putting that genie back in the bottle.  And as long as phone agents grant access to accounts by verifying who you are with that same personal information, it’s all too easy for thieves to do what they did here.

While I wait, I’ve been refreshing my AwardWallet account balances daily.  Some programs are even more lax with account security.  Those can be hit any time as well!

0 0 vote
Post Rating

Email subscription form header
Please enter all required fields Click to hide
Correct invalid entries Click to hide
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

49 Comments
Inline Feedbacks
View all comments
Rosemary

I just had 605,000 points stolen and used by some criminal through Amazon. Amazon says there is nothing they can do. I didn’t see the email that my points had been “redeemed” and that “my account” had been linked to Amazon until the following day so no it’s too late. When Hilton sent the email, I should have had 24 hours or some amount of time to approve the points redemption. I am very upset.

[…] than a month ago I reported: My Hilton account was hacked… Twice.  My account hadn’t initially been hacked the traditional way.  That is, no one had hacked […]

raj

glad its not just me –

someone hacked into my account twice on march 28th – no points used – they are investigating….

[…] Be careful out there with your Hilton Honors accounts, wow! My Hilton account was hacked…twice. […]

mark

Did anyone suggest calling the police so that they could go pick up the thief at the hotel?

Alben

I’ve had my IHG hacked. All the points drained. IHG restored them in about a week. I can’t believe IHG just requires a 4 digit PIN. Security from the 1980’s.

Jake

Get a password manager if you don’t use one already. I took the plunge with LastPass (free) a few weeks ago and wish I had done this years ago. My Hilton password is a completely unique string of characters crazy long. It works great on my browser and phone. Big fan and I’m way more secure now.

Charlie

I had my Hilton account hacked also and the points were transferred toAmazon. Spoke to the agent at Hilton for quite a while on the phone she informed me that they’ve had countless issues with hacked accounts related to Amazon. She was unsure of what the reason was but has been very common lately

5150d

If you can see the reservation they made …. why don’t you just go the hotel and have security take them down? Do this on video and post it here. Would be quite a post.

CaveDweller

Good call my Doctor’s wife is a lawyer her brother an FBI agent who she called .They arrested the hacker @ a hotel I bet a $10 Fine ..
CHEERS

Erika Hamilton

I had my IHG account hacked recently. Takes forever to restore points.

Joseph Stern

I’m still amazed that IHG uses a simple four digit numeric code for their security.

Steve

just a helpful tip, the problem might be with award wallet. you have no one else but to blame yourself if you use third party vendors to track your miles and points. It’s the lazy and vulnerable way of managing your miles and points balances.

CaveDweller

Steve
I agree my one doctor wanted my SS number and current Ins .Why I pay cash because my ins. doesn’t ever pay for his office visits .
CHEERs

bludevil

In my hack, the hackers also had my email passwords and were able to set up filters to forward anything with certain keywords (like Hilton, Delta, redemption, password, confirmation, etc.) to my trash so it would bypass my inbox, delaying my response.

So also check your trash periodically for unread emails and check for filters/rules on your accounts.

You don’t realize how many passwords you have until you need to change ALL of them!

Mary Jane

If the hackers can get into Equifax, Hilton’s data should be small potatoes for them! Thanks for the warning to always be on the look-out. I also wonder if storing your cc info with your account info may have something to do with this….

huey judy

This is a good time for a little reminder. The internet is not your friend. If you’re active with points, miles and travel, it’s VITAL that you keep an eye on everything, all the time. And if there has been negative activity on one of your accounts, assume that it will happen again and be extra careful. This seems obvious, but life gets in the way and time does fly by. The very LEAST you need to do is read any emails from any of “your” travel providers … immediately. I use the first hour of my workday to review my emails while drinking a big glass of water. Everybody should drink more water, right? It’s become a habit and even if I should be doing something else, I want my water, that’s my signal to have a look at my in-boxes.

JB San Diego

Thank Greg for sharing this scary experience! I started miles/points hobby 2 years ago and this is a wake up call!
A couple of months ago, I was randomly checking my Marriott Account and noticed a pop up to check in to a hotel in the Boston area that I didn’t make. It was for two rooms and one night. It was a cash reservation and I didn’t want to get charged for it. So I called Marriott and the operator told me it was for someone with a different name. I told them that my name on my account didn’t match the name on the reservation. So they called the Hotel and then I was told the hotel made a mistake. They made the correction immediately and I was able to very the correction on my computer while on the phone.
I checked my Marriott account again the day after the stay and they credit my account with points for that person’s stay. Nothing bad happened to my account and I still have those points. I just left at that.
I gained a few thousand points with no harm done, but it was a scary experience and gets me thinking about what could go wrong.

Thank you Greg!!

ed k

Now, if sites like this and others find put about law enforcement going after these thiefs and especially convictions than it should be made public to the points community so others might be deterred from hacking someone’s account. Most end up hearing about what the corporations end up paying, but their security, or lack thereof, is only one part of it. We must deter the anarchists of society from their intended deeds by letting them know they won’t get away with it. Greg has helped in showing us what we can do to protect what is ours and being proactive and that’s great. Reminders are a good thing. Keep it up. Thank you!

Gaurav

So is it like if someone has all of your information, they are able to change things into your account without your password? Or did you never change your password after first hack (I am assuming they changed your info online second time).

Belinda

What a hassle. I can’t believe no email was ever sent to your real email account confirming your points stay. So lax and sloppy on their part.

They’re overzealous with me…I’ve been accused of fraud myself by them so many times. Every single time I used to transfer points from me or my mom to my husband (and pay) and also lots of times regarding me trying to credit a stay on our mutual fund account. One time we got a full page reprimand email from a rep going on and on about how we were cheating …(when I attempted to credit a stay in my name to our mutual fund account). I call it The Hilton Honors Customer DISservice Center. Most of that mutual fund problem arises when I attempt to use my 4th free night with Citi Prestige. That card is in my name. My husband is primary on the Hilton mutual fund account. Meaning Hilton pretty much ignores me. I always book just one guest…cuz that’s my Hilton benefit…spouse stays free. Cuz it’s cheaper that way right? Let the fun begin. The Conrad Hong Kong just switches the res to my husband name at checkin. So no problems with points. Then that makes Citi upset…they think I didn’t even go on the trip. They try to deny my fourth night and also probably have noted my account because now the concierge line warns me strongly each time how this benefit is only for me and not other people. They also try to kind of accuse me of scamming Hilton diamond benefits through my husband. Ha. I’m my own diamond from the Amex card. I’m just trying to work on lifetime diamond on the mutual fund. Almost there. If the hotel doesn’t switch the name at checkin then I have trouble receiving points for the stay and thus accusations of fraud by the Hilton disservice center. I just quit using my Citi benefit now. I feel like my robot vacuum just spinning in a circle bumping into something everywhere I turn with these companies.

miafll

Not sure why you have the idea that a single person is cheaper than 2 persons on a reservation. Japan is the only country I know of, that would charge extra starting from 2nd adult. Hong Kong certainly does not.
Nor all European / US / Canada properties.

Cliff

The exact thing happened to me as well this weekend. Only this time, the jerk bought amazon gift cards. I don’t know what’s worse, the stolen points or the poor redemption values!

Naoyuki

My Hilton account was hacked a few months ago also. It appears their system is very easy to hack. I have never been impressed with Hilton IT infrastructure, even before I was hacked. Their website used to be, and continues to be rather clunky. However, I really wonder if some of these “hacks” are internal jobs.

Bludevil

My Hilton account was breached multiple time during the past month. The crooks linked my account to Amazon and then drained all of the points that way. The second and third ones happened AFTER Hilton allegedly froze my account.

The HHonors Fraud Department is a JOKE. They gave me a different account number and said they would merge everything over. That didn’t happen. It has been a month since the first breach and the account still isn’t working properly. I can’t see any past stays or account history. Their last email response to me was more than a week ago.

frugalman

Comfort, Greg. I would be outrageous and frustrated if I were you. So I see two problems here:
1. In the first case, phone representative was able to make a new reservation to a new email without sending it to the original one. It is a system loophole rather than employee should be “re-trained”. Conspiracy theory: could this have been done with a HH insider?
2. In the second case, after your changed password (the best we can do as customers), somehow the thieves still managed to hack it a SECOND time. I think at this moment, there is another loophole there though as you said, nobody knows and have to waive for investigation. At least, I think you shall request to change your HH number now. Or just create a brand new account and have them transfer the points to that new account.

If the thief were smart, they should know about your name and avoid any action against you. It would only expose their sneaky activities in public much faster by making Greg frantic :).

Belinda

I personally think frugalman is on to something…inside job! Cuz Hilton is so freakin overzealous about fraud…at least with me.

Lloyd

My Hilton account was hacked earlier this year and the thief took all 550,000 points by transferring them to Amazon and getting about $1000 in value. I did receive an email telling me that my Hilton account had been linked to Amazon but it looked suspicious so I ignored it until the next day when I received an email telling me my points had been transferred to Amazon.

After logging in to Hilton, I confirmed the 550K points were gone and called Hilton. They gave me an email address to send the details regarding the hack and after about three weeks I received an email from their fraud department telling me a new account had been created for me and my points and reservations had been restored.

Once I got logged into the new account, I was floored to see that over 1,700,000 Hilton points resided in my account. I can’t figure out exactly how they came to that number but it appears the new account includes only the credits of all points activity since I was a member and none of the withdrawal activity over the years.

I am thinking it might be Hilton’s way of compensating members for the trouble caused by the hack but am reluctant to ask a Hilton rep for fear it may be a mistake. If no mistake, getting hacked is a much better way to build your account balance than sign up bonuses!

CaveDweller

L
Just like an IRS refund if u spend it do u have to pay it back as in Full price not points ?
CHEERs

bludevil

Mine was linked the same way to Amazon, but I have not been as lucky 😉

dave

I’m assuming when you changed the password after the first hack it was unique enough from your previous and all others passwords used across all accounts that it could not be guessed?

CaveDweller

They blew it they should payoff with points or and upgrade ect. I booked with Prestige and they re-booked it a week later for some reason with wrong address . I called they said So what and if I made the mistake .
CHEERs

Debit

Then hilton should have a record of the calls and do actually made the changes. More likely it’s someone on the inside at hilton who is giving out the details. They should still have access to so madhe the changes and who accessed your accounts within last three months.

But then again all this is not very important. No time for this. I have to go make noise about Hillary’s emails.

CaveDweller

I must be doing something Right never been hacked but how good is lifelock ? But I’m waiting to turn on my LT one morning and it’s ALL GONE . I’m on THE list I get 2 or 3 emails every day with malware .. You can steal more money with a brief case then a gun .
Keep us posted.
CHEERs
Can I have Another Please ?
HaHa

Bill

Good luck Greg. A similar situation happened to me in January that took nearly 2 months to be resolved, though my thief booked a night at the aspirational Hampton Inn Pikeville, Kentucky. I kept getting emails from their fraud department about undergoing a ‘systems upgrade’ and my points would be restored when it was completed. It was probably my 8th or 9th call to Hilton that I finally happen to get a CSR sympathetic enough to actually take some action on my behalf.

Also, be sure to check your Delta account if you had those accounts linked. I had from the old SPG crossover rewards and that was hacked as well on the same day but I was seemingly able to catch that before the thief was able to do anything.

bludevil

Both my Hilton and Delta accounts were hacked the same day! The thief got all of my points on both accounts. Delta has been wonderful, Hilton not so much. I got the same emails about a system upgrade and have also spent hours on the phone with Hilton. Things still aren’t fixed.

Debit

It’s fine you will survive. Don’t be a drama queen. What we certainly don’t need is a strong data protection law like the one in Europe.

Your data is our property. Not yours. Got it? Now go vote for me like you always do while I go bend over for corporate interests.

CaveDweller

G
Good move Troll Free I do love my Thumbs down Pile on folks .
CHEERs

Debit

Thanks I guess. But I think you should have a hall of fame for most hated posts. Genuine talent should be recognized.

CaveDweller

G
Good post once again maybe I just delete my Hilton account and Delta too . I called Hilton better for ME to suspend the account Not close..If I ever Flip a Hilton card will call and open it.
I want travel not hassles.
CHEERs

huey judy

Are you two having fun being ugly? Go find something constructive to do.

CaveDweller

hj
I guess that’s pointed @ me I just did I suspended my account . Go look @ ur post about Ugly who are u I’m working Right now.
OOP’s Have a Nice(Fr.) Day..
CHEERs

Erika Hamilton

Among other issues with your post I think you mean drama king. Let’s not be sexist and use terminology that demeans women and suggests they are the only dramatic and overly emotional sex.

Debit

I think we should refrain from assuming what sex Greg identifies with unless he has absolutely made it clear. What do you suggest?

Debit

Oops I meant “it has absolutely made it clear”