Hilton accounts used 4-digit PIN numbers. That’s not a lot of unique combinations, and Hilton decided that’s not secure enough.
In February Hilton reached out to let me know that they’re moving to passwords.. At the time they offered 1000 points to get you to update your password. But their IT wasn’t ready for their announced changes.
On March 12 they said they were ready.
According to Krebs on Security their password change process actually created a huge security vulnerability. Once you logged into your account you could change the HTML code of the website to gain access to any account.
After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.
This problem has since been addressed, apparently.