Changed Your Password for 1000 Hilton Points? You Could Have Taken Control Of Anyone’s HHonors Account.

by Gary Leff

United, American, and Hilton all suffered recent data breaches. Indeed, Hilton points have been among the most available for sale on the DarkNet.

Hilton accounts used 4-digit PIN numbers. That’s not a lot of unique combinations, and Hilton decided that’s not secure enough.

In February Hilton reached out to let me know that they’re moving to passwords.. At the time they offered 1000 points to get you to update your password. But their IT wasn’t ready for their announced changes.

On March 12 they said they were ready.

According to Krebs on Security their password change process actually created a huge security vulnerability. Once you logged into your account you could change the HTML code of the website to gain access to any account.

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.

This problem has since been addressed, apparently.

(HT: @jayhawknj)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. Is there a lag in getting the points? I changed my password about a week ago but still haven’t gotten my 1,000 points . . .

  2. My HHonors accounts’ PIN was auto-assigned and it was the first four digits of my account number. Not exactly smart.

  4. @Richard – I changed my password on the 12th (after Gary posted that HH was ready for the change but before the pop-up notice appeared on the HH website), and haven’t received my points yet. According to the @HiltonHHonors twitter folks, it could take 6 to 8 weeks. I don’t know if it’ll really take that long, or if they’re just saying that so people don’t complain.

  5. Why didn’t you tell us before the mistake was corrected, like you do with mistake air fares, so we could take advantage of this situation too?

Comments are closed.