My Hilton account was hacked… Twice.

Last Saturday I had a few idle minutes and decided to clear out the junk email under the Promotions tab on my Gmail account.  It was lucky I did, because I found an email from Hilton telling me that there was points redemption activity on my account:

I knew immediately that something was wrong.  I hadn’t booked a points stay with Hilton since last May.  I logged onto my Hilton account to see what was going on.  There I found that someone had used 60K of my points to book the Hilton Chicago for that night.  I tried to cancel the stay, but the system told me that the time window for cancellation was over.

Hack 1: 60K Points Stolen

I was sure that my account had been hacked.  I checked my account details to see if the hacker had changed my email address, home address, or phone number.  No, it was all there with my original info.  I quickly deleted the stored credit cards, just in case.  And I updated my password for good measure.

I called Hilton’s customer care line and told them what happened.  The agent asked for the reservations confirmation number, which I gave her.  Then, before she could proceed with the call, she asked me for my email address in order to confirm my identity.  She said, no, that didn’t match.  Then she asked for my phone number.  Again, it didn’t match.  It turned out that she was looking at the email address and phone number on the reservation rather than on my account.  The points thief had put a different phone number on the reservation (I don’t know for sure that it was a guy, but that’s what I imagined), along with an email address that looked a lot like mine, but wasn’t.

After verifying my identity against the info stored in my account, the agent put me on hold to investigate.  When she returned to the line she said that the booking had been made by phone.  She said that the Hilton employee who took the reservation had gone against procedure and would be re-trained. They should have sent an email verification to me first before agreeing to put a different email on the reservation.  Plus, they should have sent a copy of the booking details to the email address on the account, but it was only sent to the email address on the reservation.  It was lucky that Hilton had sent me the point redemption verification email!

The phone agent was able to work with the hotel directly to cancel the reservation and return my points.  All was well again.  Or so I thought…

Hack 2: 280K Points Stolen

The next few days were busy and I didn’t check the Promotions tab in Gmail at all.  That was a mistake.  On Tuesday, I was sitting in the DCA Delta SkyClub about to return home from a short trip when a message popped up on my phone saying that it was time to check in to the Hilton Chicago O’Hare Airport.

Wait, what?!  This points thief loves Chicago.

I tried and failed to log into my Hilton account to see what was going on.  Oh, crap…

A bit frantic, I called Hilton Customer Care.  This time the email on my account didn’t match.  Neither did the phone number.  The jerk had somehow changed all of the contact info on my account.  While the first phone agent stayed on the line, I was transferred to a special security department to verify my account.  Luckily they were able to verify me… eventually.  The security guy was also able to fix my email address and reset my password.  Now I was able to get back into the account.  Once there, I restored my phone number to the account.

Now that I could get into my account, I could see that 280,000 points were missing.  There was no indication though of what was done with those points.  Nothing was shown under reservations or under “all points activity”.  Back now on the phone with the original agent, she opened a ticket to investigate the incident and to hopefully restore my points.  She also froze my account so that points can no longer be used until the investigation is completed.

Waiting for resolution

Now I’m waiting.  I’m waiting for my points to be restored and hopefully for Hilton to improve their security so that it can’t happen again.  The latter is most important in the long run.  With all of the data breaches that have happened, our personal information is out there.  There’s no putting that genie back in the bottle.  And as long as phone agents grant access to accounts by verifying who you are with that same personal information, it’s all too easy for thieves to do what they did here.

While I wait, I’ve been refreshing my AwardWallet account balances daily.  Some programs are even more lax with account security.  Those can be hit any time as well!

About Greg The Frequent Miler

Greg is the owner, founder, and primary author of the Frequent Miler. He earns millions of points and miles each year, mostly without flying, and dedicates this blog to teaching others how to do the same.

More articles by Greg The Frequent Miler »

Regarding comments: Comments posted at the bottom of Frequent Miler pages and posts are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.

48
Leave a Reply

avatar
26 Comment threads
22 Thread replies
27 Followers
 
Most reacted comment
Hottest comment thread
26 Comment authors
rajGreg The Frequent MilermarkAlbenJake Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
Debit
Guest
Debit

It’s fine you will survive. Don’t be a drama queen. What we certainly don’t need is a strong data protection law like the one in Europe.

Your data is our property. Not yours. Got it? Now go vote for me like you always do while I go bend over for corporate interests.

Erika Hamilton
Guest
Erika Hamilton

Among other issues with your post I think you mean drama king. Let’s not be sexist and use terminology that demeans women and suggests they are the only dramatic and overly emotional sex.

Debit
Guest
Debit

I think we should refrain from assuming what sex Greg identifies with unless he has absolutely made it clear. What do you suggest?

Debit
Guest
Debit

Oops I meant “it has absolutely made it clear”

Bill
Guest
Bill

Good luck Greg. A similar situation happened to me in January that took nearly 2 months to be resolved, though my thief booked a night at the aspirational Hampton Inn Pikeville, Kentucky. I kept getting emails from their fraud department about undergoing a ‘systems upgrade’ and my points would be restored when it was completed. It was probably my 8th or 9th call to Hilton that I finally happen to get a CSR sympathetic enough to actually take some action on my behalf.

Also, be sure to check your Delta account if you had those accounts linked. I had from the old SPG crossover rewards and that was hacked as well on the same day but I was seemingly able to catch that before the thief was able to do anything.

bludevil
Guest
bludevil

Both my Hilton and Delta accounts were hacked the same day! The thief got all of my points on both accounts. Delta has been wonderful, Hilton not so much. I got the same emails about a system upgrade and have also spent hours on the phone with Hilton. Things still aren’t fixed.

CaveDweller
Guest
CaveDweller

I must be doing something Right never been hacked but how good is lifelock ? But I’m waiting to turn on my LT one morning and it’s ALL GONE . I’m on THE list I get 2 or 3 emails every day with malware .. You can steal more money with a brief case then a gun .
Keep us posted.
CHEERs
Can I have Another Please ?
HaHa

dave
Guest
dave

I’m assuming when you changed the password after the first hack it was unique enough from your previous and all others passwords used across all accounts that it could not be guessed?

Lloyd
Guest
Lloyd

My Hilton account was hacked earlier this year and the thief took all 550,000 points by transferring them to Amazon and getting about $1000 in value. I did receive an email telling me that my Hilton account had been linked to Amazon but it looked suspicious so I ignored it until the next day when I received an email telling me my points had been transferred to Amazon.

After logging in to Hilton, I confirmed the 550K points were gone and called Hilton. They gave me an email address to send the details regarding the hack and after about three weeks I received an email from their fraud department telling me a new account had been created for me and my points and reservations had been restored.

Once I got logged into the new account, I was floored to see that over 1,700,000 Hilton points resided in my account. I can’t figure out exactly how they came to that number but it appears the new account includes only the credits of all points activity since I was a member and none of the withdrawal activity over the years.

I am thinking it might be Hilton’s way of compensating members for the trouble caused by the hack but am reluctant to ask a Hilton rep for fear it may be a mistake. If no mistake, getting hacked is a much better way to build your account balance than sign up bonuses!

CaveDweller
Guest
CaveDweller

L
Just like an IRS refund if u spend it do u have to pay it back as in Full price not points ?
CHEERs

bludevil
Guest
bludevil

Mine was linked the same way to Amazon, but I have not been as lucky 😉

frugalman
Guest
frugalman

Comfort, Greg. I would be outrageous and frustrated if I were you. So I see two problems here:
1. In the first case, phone representative was able to make a new reservation to a new email without sending it to the original one. It is a system loophole rather than employee should be “re-trained”. Conspiracy theory: could this have been done with a HH insider?
2. In the second case, after your changed password (the best we can do as customers), somehow the thieves still managed to hack it a SECOND time. I think at this moment, there is another loophole there though as you said, nobody knows and have to waive for investigation. At least, I think you shall request to change your HH number now. Or just create a brand new account and have them transfer the points to that new account.

If the thief were smart, they should know about your name and avoid any action against you. It would only expose their sneaky activities in public much faster by making Greg frantic :).

Belinda
Guest
Belinda

I personally think frugalman is on to something…inside job! Cuz Hilton is so freakin overzealous about fraud…at least with me.

Bludevil
Guest
Bludevil

My Hilton account was breached multiple time during the past month. The crooks linked my account to Amazon and then drained all of the points that way. The second and third ones happened AFTER Hilton allegedly froze my account.

The HHonors Fraud Department is a JOKE. They gave me a different account number and said they would merge everything over. That didn’t happen. It has been a month since the first breach and the account still isn’t working properly. I can’t see any past stays or account history. Their last email response to me was more than a week ago.

Naoyuki
Guest
Naoyuki

My Hilton account was hacked a few months ago also. It appears their system is very easy to hack. I have never been impressed with Hilton IT infrastructure, even before I was hacked. Their website used to be, and continues to be rather clunky. However, I really wonder if some of these “hacks” are internal jobs.

Cliff
Guest
Cliff

The exact thing happened to me as well this weekend. Only this time, the jerk bought amazon gift cards. I don’t know what’s worse, the stolen points or the poor redemption values!

Belinda
Guest
Belinda

What a hassle. I can’t believe no email was ever sent to your real email account confirming your points stay. So lax and sloppy on their part.

They’re overzealous with me…I’ve been accused of fraud myself by them so many times. Every single time I used to transfer points from me or my mom to my husband (and pay) and also lots of times regarding me trying to credit a stay on our mutual fund account. One time we got a full page reprimand email from a rep going on and on about how we were cheating …(when I attempted to credit a stay in my name to our mutual fund account). I call it The Hilton Honors Customer DISservice Center. Most of that mutual fund problem arises when I attempt to use my 4th free night with Citi Prestige. That card is in my name. My husband is primary on the Hilton mutual fund account. Meaning Hilton pretty much ignores me. I always book just one guest…cuz that’s my Hilton benefit…spouse stays free. Cuz it’s cheaper that way right? Let the fun begin. The Conrad Hong Kong just switches the res to my husband name at checkin. So no problems with points. Then that makes Citi upset…they think I didn’t even go on the trip. They try to deny my fourth night and also probably have noted my account because now the concierge line warns me strongly each time how this benefit is only for me and not other people. They also try to kind of accuse me of scamming Hilton diamond benefits through my husband. Ha. I’m my own diamond from the Amex card. I’m just trying to work on lifetime diamond on the mutual fund. Almost there. If the hotel doesn’t switch the name at checkin then I have trouble receiving points for the stay and thus accusations of fraud by the Hilton disservice center. I just quit using my Citi benefit now. I feel like my robot vacuum just spinning in a circle bumping into something everywhere I turn with these companies.

miafll
Guest
miafll

Not sure why you have the idea that a single person is cheaper than 2 persons on a reservation. Japan is the only country I know of, that would charge extra starting from 2nd adult. Hong Kong certainly does not.
Nor all European / US / Canada properties.

Gaurav
Guest
Gaurav

So is it like if someone has all of your information, they are able to change things into your account without your password? Or did you never change your password after first hack (I am assuming they changed your info online second time).

ed k
Guest
ed k

Now, if sites like this and others find put about law enforcement going after these thiefs and especially convictions than it should be made public to the points community so others might be deterred from hacking someone’s account. Most end up hearing about what the corporations end up paying, but their security, or lack thereof, is only one part of it. We must deter the anarchists of society from their intended deeds by letting them know they won’t get away with it. Greg has helped in showing us what we can do to protect what is ours and being proactive and that’s great. Reminders are a good thing. Keep it up. Thank you!

JB San Diego
Guest
JB San Diego

Thank Greg for sharing this scary experience! I started miles/points hobby 2 years ago and this is a wake up call!
A couple of months ago, I was randomly checking my Marriott Account and noticed a pop up to check in to a hotel in the Boston area that I didn’t make. It was for two rooms and one night. It was a cash reservation and I didn’t want to get charged for it. So I called Marriott and the operator told me it was for someone with a different name. I told them that my name on my account didn’t match the name on the reservation. So they called the Hotel and then I was told the hotel made a mistake. They made the correction immediately and I was able to very the correction on my computer while on the phone.
I checked my Marriott account again the day after the stay and they credit my account with points for that person’s stay. Nothing bad happened to my account and I still have those points. I just left at that.
I gained a few thousand points with no harm done, but it was a scary experience and gets me thinking about what could go wrong.

Thank you Greg!!

huey judy
Guest
huey judy

This is a good time for a little reminder. The internet is not your friend. If you’re active with points, miles and travel, it’s VITAL that you keep an eye on everything, all the time. And if there has been negative activity on one of your accounts, assume that it will happen again and be extra careful. This seems obvious, but life gets in the way and time does fly by. The very LEAST you need to do is read any emails from any of “your” travel providers … immediately. I use the first hour of my workday to review my emails while drinking a big glass of water. Everybody should drink more water, right? It’s become a habit and even if I should be doing something else, I want my water, that’s my signal to have a look at my in-boxes.

Mary Jane
Guest
Mary Jane

If the hackers can get into Equifax, Hilton’s data should be small potatoes for them! Thanks for the warning to always be on the look-out. I also wonder if storing your cc info with your account info may have something to do with this….

bludevil
Guest
bludevil

In my hack, the hackers also had my email passwords and were able to set up filters to forward anything with certain keywords (like Hilton, Delta, redemption, password, confirmation, etc.) to my trash so it would bypass my inbox, delaying my response.

So also check your trash periodically for unread emails and check for filters/rules on your accounts.

You don’t realize how many passwords you have until you need to change ALL of them!

Steve
Guest
Steve

just a helpful tip, the problem might be with award wallet. you have no one else but to blame yourself if you use third party vendors to track your miles and points. It’s the lazy and vulnerable way of managing your miles and points balances.

CaveDweller
Guest
CaveDweller

Steve
I agree my one doctor wanted my SS number and current Ins .Why I pay cash because my ins. doesn’t ever pay for his office visits .
CHEERs

Erika Hamilton
Guest
Erika Hamilton

I had my IHG account hacked recently. Takes forever to restore points.

Joseph Stern
Guest
Joseph Stern

I’m still amazed that IHG uses a simple four digit numeric code for their security.

5150d
Guest
5150d

If you can see the reservation they made …. why don’t you just go the hotel and have security take them down? Do this on video and post it here. Would be quite a post.

CaveDweller
Guest
CaveDweller

Good call my Doctor’s wife is a lawyer her brother an FBI agent who she called .They arrested the hacker @ a hotel I bet a $10 Fine ..
CHEERS

Charlie
Guest
Charlie

I had my Hilton account hacked also and the points were transferred toAmazon. Spoke to the agent at Hilton for quite a while on the phone she informed me that they’ve had countless issues with hacked accounts related to Amazon. She was unsure of what the reason was but has been very common lately

Jake
Guest
Jake

Get a password manager if you don’t use one already. I took the plunge with LastPass (free) a few weeks ago and wish I had done this years ago. My Hilton password is a completely unique string of characters crazy long. It works great on my browser and phone. Big fan and I’m way more secure now.

Alben
Guest
Alben

I’ve had my IHG hacked. All the points drained. IHG restored them in about a week. I can’t believe IHG just requires a 4 digit PIN. Security from the 1980’s.

mark
Guest
mark

Did anyone suggest calling the police so that they could go pick up the thief at the hotel?

trackback

[…] Be careful out there with your Hilton Honors accounts, wow! My Hilton account was hacked…twice. […]

raj
Guest
raj

glad its not just me –

someone hacked into my account twice on march 28th – no points used – they are investigating….

trackback

[…] than a month ago I reported: My Hilton account was hacked… Twice.  My account hadn’t initially been hacked the traditional way.  That is, no one had hacked […]