More than a month ago I reported: My Hilton account was hacked… Twice. My account hadn’t initially been hacked the traditional way. That is, no one had hacked into my online account. Instead, someone had learned enough about me and my account details to call to use my points. It’s been a long road, but I finally have my points back.
As I previously reported, the thief had initially stolen 60K points to book a night in Chicago. Next, they used 280K points presumably for the Hilton Chicago O’Hare Airport (I only knew this because my Hilton app told me it was time to check in). Later, they appear to have converted 360,000 points to United Airlines miles. More on that below.
Next: New Hilton Account (#1)
The day after I published my story about getting hacked, I received an email from Hilton’s fraud protection team. They had set up a new Hilton account for me. The email read, in part:
Thank you for your notification regarding the recent activity on your Hilton Honors account.
Please be assured that this activity does not have any bearing on the integrity of our systems and we have no reason to believe that our systems have been compromised. However, out of an abundance of caution, we have closed your existing Hilton Honors account and provided you with a new account number and password.
Your new Hilton Honors number is XXXXXXXXX
It’s kind of hilarious that they claim: “this activity does not have any bearing on the integrity of our systems and we have no reason to believe that our systems have been compromised”.
Unfortunately, I couldn’t access this new account. I wrote back to the fraud team about it, but I never heard back.
9 days later, I emailed them again to try to get access to my account. 22 days later, they sent me a link to reset my online password.
Finally, I was able to get into my new account where I found that my account was almost completely empty of points. I emailed Hilton immediately to say that my account was 360K points short of the total I had before all this started.
And I got this reply:
1) Please confirm if you authorized United Airlines Redemptions in the total amount of 360,000 on XX/YY/19?
So, the hacker had redeemed 360,000 Hilton points for (I believe) only 36,000 United miles. That should be a crime in itself. Interestingly, the date that this happened was the same date in which Hilton had initially set up my new Hilton account. I think that they had sent the email for resetting your password to the hacker instead of to me! This actually makes sense since he/she had apparently convinced a phone agent to change the email on my original account.
Next: New Hilton Account (#2)
The day after I replied that I had not authorized United Airliens Redemptions, they asked me for a new email address:
1) Could you offer us a new email address for enroll a new account for you?
I set up a new email address and gave the info to them. Soon, I received a new email saying that they had setup yet another new account for me. This email was very much like the previous one:
This email is to notify you that we identified suspicious activity on your Hilton Honors account and proactively took steps to remedy the activity.
Please be assured this activity does not have any bearing on the integrity of our systems. However, out of an abundance of caution, we closed your existing Hilton Honors account and provided you with a new account number and password.
Your new Hilton Honors number is XXXXXX
Thankfully, this time my new email address did receive a link for resetting the password on the new account. And all of my points were there… and then some!
Lots of new points!
My newest new Hilton account currently shows almost three times as many points as I started with. I toyed with the idea of moving the points to a friend’s account or quickly cashing out the points in some way so as to avoid Hilton taking back this points bonanza. In the end, I didn’t feel right about doing that. So, I actually let them know about the mistake:
Thank you! I finally have a new account with points restored! FYI: the new account has more points than I was expecting. If you’re OK with that then I am too (obviously!), but I thought you should know.
I kind of hoped that they would say something like “whoops. our bad. keep the points. enjoy!” But no. This was the reply:
Please know we are currently undergoing system upgrades. During this time, select features will go offline and accounts that have been reset may incorrectly display account status.
Rest assured our records show your Honors account should display XXX,XXX and Gold tier status. Your account will be restored in full upon completion of system upgrades.
Unless you have any objections, our office will notify you via email when your account should display correctly online.
We appreciate your patience. We apologize for any inconvenience this may have caused.
For the purpose of this post I replaced the number of points listed above in their email to “XXX,XXX” but the number in the email was the exact number of points I originally had in my account, not the new super-inflated number. Bummer.
So, I won’t end up with the super points windfall that I briefly thought I had, but I do have my points back. That’s what really matters. Now to hope that no hacker gets my new account information…