My hacked Hilton account has finally been restored

More than a month ago I reported: My Hilton account was hacked… Twice.  My account hadn’t initially been hacked the traditional way.  That is, no one had hacked into my online account.  Instead, someone had learned enough about me and my account details to call to use my points.  It’s been a long road, but I finally have my points back.

As I previously reported, the thief had initially stolen 60K points to book a night in Chicago.  Next, they used 280K points presumably for the Hilton Chicago O’Hare Airport (I only knew this because my Hilton app told me it was time to check in).  Later, they appear to have converted 360,000 points to United Airlines miles.  More on that below.

Next: New Hilton Account (#1)

The day after I published my story about getting hacked, I received an email from Hilton’s fraud protection team.  They had set up a new Hilton account for me.  The email read, in part:

Thank you for your notification regarding the recent activity on your Hilton Honors account.

Please be assured that this activity does not have any bearing on the integrity of our systems and we have no reason to believe that our systems have been compromised. However, out of an abundance of caution, we have closed your existing Hilton Honors account and provided you with a new account number and password.

Your new Hilton Honors number is XXXXXXXXX

It’s kind of hilarious that they claim: “this activity does not have any bearing on the integrity of our systems and we have no reason to believe that our systems have been compromised”.

Unfortunately, I couldn’t access this new account.  I wrote back to the fraud team about it, but I never heard back.

9 days later, I emailed them again to try to get access to my account.  22 days later, they sent me a link to reset my online password.

Finally, I was able to get into my new account where I found that my account was almost completely empty of points.  I emailed Hilton immediately to say that my account was 360K points short of the total I had before all this started.

And I got this reply:

1) Please confirm if you authorized United Airlines Redemptions in the total amount of 360,000 on XX/YY/19?

So, the hacker had redeemed 360,000 Hilton points for (I believe) only 36,000 United miles.  That should be a crime in itself.  Interestingly, the date that this happened was the same date in which Hilton had initially set up my new Hilton account.  I think that they had sent the email for resetting your password to the hacker instead of to me!  This actually makes sense since he/she had apparently convinced a phone agent to change the email on my original account.

Next: New Hilton Account (#2)

The day after I replied that I had not authorized United Airliens Redemptions, they asked me for a new email address:

1) Could you offer us a new email address for enroll a new account for you?

I set up a new email address and gave the info to them.  Soon, I received a new email saying that they had setup yet another new account for me. This email was very much like the previous one:

This email is to notify you that we identified suspicious activity on your Hilton Honors account and proactively took steps to remedy the activity.

Please be assured this activity does not have any bearing on the integrity of our systems. However, out of an abundance of caution, we closed your existing Hilton Honors account and provided you with a new account number and password.

Your new Hilton Honors number is XXXXXX

Thankfully, this time my new email address did receive a link for resetting the password on the new account.  And all of my points were there… and then some!

Lots of new points!

My newest new Hilton account currently shows almost three times as many points as I started with.  I toyed with the idea of moving the points to a friend’s account or quickly cashing out the points in some way so as to avoid Hilton taking back this points bonanza.  In the end, I didn’t feel right about doing that.  So, I actually let them know about the mistake:

Thank you! I finally have a new account with points restored! FYI: the new account has more points than I was expecting. If you’re OK with that then I am too (obviously!), but I thought you should know.

I kind of hoped that they would say something like “whoops. our bad. keep the points. enjoy!”  But no.  This was the reply:

Please know we are currently undergoing system upgrades. During this time, select features will go offline and accounts that have been reset may incorrectly display account status.

Rest assured our records show your Honors account should display XXX,XXX and Gold tier status. Your account will be restored in full upon completion of system upgrades.

Unless you have any objections, our office will notify you via email when your account should display correctly online.

We appreciate your patience. We apologize for any inconvenience this may have caused.

For the purpose of this post I replaced the number of points listed above in their email to “XXX,XXX” but the number in the email was the exact number of points I originally had in my account, not the new super-inflated number.  Bummer.

So, I won’t end up with the super points windfall that I briefly thought I had, but I do have my points back.  That’s what really matters.  Now to hope that no hacker gets my new account information…

About Greg The Frequent Miler

Greg is the owner, founder, and primary author of the Frequent Miler. He earns millions of points and miles each year, mostly without flying, and dedicates this blog to teaching others how to do the same.

More articles by Greg The Frequent Miler »

Regarding comments: Comments posted at the bottom of Frequent Miler pages and posts are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.

4
Leave a Reply

avatar
4 Comment threads
0 Thread replies
4 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
MikeCaveDwellerBillBluedevil Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
Bluedevil
Guest
Bluedevil

I received identical emails from the fraud department after my account was hacked and drained. It has been more than two months and I still cannot see any of my past stays or activity. The fraud department is worthless.

Bill
Guest
Bill

Based on my similar experience earlier this year, Hilton’s systems have been undergoing this ‘upgrade’ for about 4 months. I can only assume this is being performed by Mr. Burns’ team of trained monkeys that was writing ‘A Tale of Two Cities.’ Seriously what is going on over there?

CaveDweller
Guest
CaveDweller

Greg
Do a post on All the safeguards u have on ur Phone-LT-Award accounts-CC’s . I could careless about losing award points I got them Free it’s the MONEY that counts .Waking up broke wouldn’t be fun .
CHEERs

Mike
Guest
Mike

interestingly enough, my hilton account was hacked 2 days ago and i referred to your original post to see what you did. My account has been locked so no one can redeem points until all is figured out (I’ll probably get a new hh number). Hilton said they have restored my points, but i’m still short 30k and now reading this article it could be that they transferred those out maybe. Just like you, i only found out because my phone app sent a notification that it was time to check in.