I have been a Hilton Hotels Diamond in their Honors loyalty program for several years and was horrified to see the telltale signs my account had been hacked. I acted quickly and identified the fraud, it’s a shame Hilton didn’t act as swiftly.
If you are considering booking travel or signing up for a new credit card please click here. Both support LiveAndLetsFly.com.
If you haven’t followed us on Facebook or Instagram, add us today.
Catching Them Quickly
Hilton sent me an email to let me know my email address on file had changed. My thought process went something like this:
Um, no. I didn’t do that.
Is this a genuine Hilton email? [looked at sender address and logged into account]
NOOOOOOOOO!
The hackers had time to add a new email address. Had I not seen the email come through, it would have likely been too late to stop them before a withdrawal occurred. Checking my email when it chimed was a stroke of convenient luck.
How I Stopped Them
I immediately called Hilton while I logged into my account online. My saved password was still working to that point and while I sat on hold for about two minutes I witnessed the perpetrator’s action as they made adjustments to my account.
I took a screenshot of my balance and explained the issue to the rep. The email address that was added looked similar to others on my file. The domain was USA.com and this has happened often enough but with other scams that USA.com has this statement on the matter. The agent knew what to do, filed the report and stated my account was locked down. I would hear from Hilton’s fraud team the next morning (it was nearly midnight when I called in.) Satisfied, I hung up.
Hilton Didn’t Actually Lock The Account
The rep filed the fraud claim but since no points had been stolen yet, there were no notes on the report as it was conveyed to me. I called back in two days later since I had heard nothing. I asked the agent about the fraud report.
“Which reservation in Atlanta tonight is fraudulent?” she asked.
“All of them. What do you mean? My account was locked down since the fraud claim was filed.” I was less than calm at this point.
“Yes of course. So you made the 500,000 point transfer to Points.com and then the two reservations were made?” She asked.
“No. Anything after the point in which I filed the fraud claim and you told me my account was locked down was not me. I was locked out of my account due to the password change.” A silence filled the line for a moment.
She then put me on hold and got a supervisor. Within twenty seconds the line went dead and I waited for them to call me back. By not correctly locking down the account, Hilton exposed themselves to costs that I am not responsible for covering, so what benefit is there in not locking the account down instantly?
The Rep That Got It Right
After twenty minutes I tried them again, got a different representative, Linda. I was irate at this point and she did a great job of both handling my issue and my frustration. Instead of waiting for fraud prevention to reach out, she corrected my email address, reset my password, freezing the fraudsters out of my account and refunded the spent points, over 600,000 in two days.
She also froze my account successfully (though there was little need to do so at that point) and I continue to await the fraud team to reach out via email (not phone) to open the account back up.
She contacted the hotels that had guests checked in under my account number (they likely checked in with the app). The perpertrators were in the rooms at the time (two Atlanta properties) and the authorities were called while I was on hold.
Hilton Needs To Tighten Security
IHG accounts have been rampantly hit with points theft over the last few years. I’m not going to say it’s because they hate their elites, but I will say that their IT staff probably needs to find something they are good at and do that. IHG passwords are still four-digit pins. That’s it. Hilton doesn’t allow for special characters and limits the length of a password. That should change.
The chain also needs to add two-factor authentication.
In the last couple of weeks, others have reported Hilton account hacks. The first rep could have done all the things the third rep did and stopped Hilton paying out to Points.com and a franchisee for the rooms in Atlanta. Why isn’t there an ability for me to freeze and un-freeze (thaw?) my account myself? Hilton could improve training so that the fraud department may not have to be involved at all.
Hold times on the Diamond Desk were short, just two minutes or so, but why not have a chat feature for account activity issues?
The Hilton App Could Help
The App should also issue a notification that says: “Your (X) has changed. If you’ve not requested this change click this link.” Consider for a moment that guests can select your room, use the app and a smartphone as a room key which may be unlocked by facial recognition or fingerprint. It’s more secure than their password, why not trust notifications to alert people sooner than email – it seems archaic.
Has this happened to you? What did you do about it? Have you had other accounts hacked and how did you and the brand respond?
Come see Matthew and me at FTU Chicago.
The weekend of sessions is available for just $249 and if you use my affiliate link you can save another $25with discount code SPRING when you purchase before May 13th at midnight PST. Both days include lunch, coffee, and iced tea, and a pizza welcome dinner the evening prior (May 31st) to the first 75 who sign up.
Did the thieves get arrested? Please say yes.
Somebody was checking your number my room and it was different credit cards are my girl and they did nothing you know what they did they cancel my account and a frog theme or not even respond to me as a human trafficking or using my counts for something crazy does anybody have any advice because I cannot get past this fraud department they will not write me back and tell me what rules are violated after I complained all the sudden I’m in violation
My password is plenty long and uses special characters so the claim that Hilton doesn’t allow them is incorrect.
Sorry you had to endure this and glad you shared with us your experience, even as a “it can happen to you ” warning.
I’ve had my Hilton account hacked twice in the past 3 months. Be careful to watch the points balance; now that you can pay for Amazon purchases with HHonors points at 0.5c each, they’ll suck them out via Amazon purchases. I had 21,000+ stolen (and they added not 1, but 3 additional emails and made mine the non-primary)
It’s ironic that as annoying as Hilton is with the recaptchas, they still get hacked. I’ve almost stopped using their website because I’m tired of identifying bicycles and stoplights.
Yes and often I have to do it multiple times!
Same. Super annoying and apparently useless.
Yes, I spendy life picking out storefronts bicycles and stop lights. It is a moronic system.
I got an email saying I added my Hilton honors account to my Amazon account. Or something to that effect. Called Hilton about it the date after. They said “everything is fine”. Two days later 550k points were gone.
My account was hacked recently as well, and 500k points were transferred but I was able to catch it. A day later they tried linking it to make an Amazon purchase. The Hilton website said that I should get in touch with Amazon directly. I tried doing so but the first rep did not understand that I talking about credit card points no matter how many times I explained. The supervisor I asked for did, but said since nothing has been purchased they couldn’t do anything and I had to contact Hilton Honors. So I called Hilton this time and they managed to lock the account and sent me my new account 2 days later and assure me my points were intact. But their responses were so slow over the website and email, and generic templates.
I am a Hilton employee and I have been hacked twice! Once about 2 years ago someone stole my points and transferred them to a 3rd party website where you can redeem loyalty program points or miles for gift cards. I got my points returned the next day and we changed my password and Honors number. Then back in January I went on my app and noticed an upcoming stay for a hotel in Delaware (I live in PA) in June. I was confused because this was booked under my team member discount/website and wasn’t me. I cancelled the reservation and contacted fraud. It took 3 months to get my Hilton Honors app back up and running. My mother and I have both been recently hacked on Amazon.com where random items have been puchased with our card on file and sent to us. Our money was promptly refunded, passwords were changed, and I got a free cheese grater. Lol
Interesting . Diamond elite. The system delays the points pulled so we do have time if suspicious activity is claimed. The terms and conditions page which you agree to provides the liability of you the account holder and hilton .the provider. Read it . So few are aware of its terms. We welcome all communication in resolving fraud. We do take it seriously despite this particular incident from the perspective of the account holder. With over millions of subscribers and enrollees’ , it’s statistically not 100% fool proof. Nor is any system. We strive though.
I believe you in making public this snafu and wish to remind folks it’s not the norm. It is the norm to be proactive which sounds like both sides were.
You go back and forth in one paragraph writing of how IHG security is lacking. How does this relate to Hilton security? Are you just referencing another hotel chain to make some point that Hilton should have known better? If so, you should have provided some kind of tie-in or at least some kind of explanation.
IHG is the parent company of Hilton.
It’s not, but I link to another post where there should be info about the numerous attacks IHG has had and how despite such they continue to use just a four-digit pin that they assign.
My account was hacked back in January. Over 1 million points were wiped out in an Amazon purchase. Same thing happened with me, email was changed and account was locked. The odd thing is my account was hacked just days after I booked a hotel stay in Santo Domingo using points. My Hilton Amex wasn’t touched. I contacted Hilton and after 45 minutes on the phone and information verification, they changed my email and we figured out I was hacked.
It took 3 weeks to get my points back, and they ended up changing my account number, but I really don’t feel like their system is safe.
My number was linked to someone’s Amazon account and they made purchases totalling 382K points. After contacting fraud and they completed their investigation, my points were refunded after about 12-14 days and issued a new HH number. Got my points back, annoying that my all my past stays and point activity history are wiped.
I have three letters for Hilton: 2FA
My Hilton password has special characters, not sure where you got the password criteria from.
After working for a Hilton property for a LONG time, let it be known that any story that starts with the author stating their “diamond” status in the Hilton honors program ends with them whining incessantly about something until they get their way. I couldn’t even finish reading the article because anyone “smart” enough to make the kinda money it takes to become a diamond member, shouldn’t be STUPID enough to get phished.
In fact, when did this become news? There was a long to this story on Google NEWS! Almost getting hacked? This just in… Yesterday I ALMOST ate a hamburger, but choose salad instead I ordered a salad…
@Silky – Some of your broad assumptions are patently false. Allow me to clarify:
1) Diamond membership is listed simply to state that I am not new to their system, I know it well. Your inference that I am automatically a guest that will whine “incessantly” is baseless for me personally, but your prejudice perhaps highlights why elite guests need to ask for benefits in the first place.
2) Anyone “smart” enough doesn’t relate to my personal wealth or lack thereof.
3) One could be a reasonably paid employee forced to stay out of town for an extended period of time as part of their work with work footing the bill. Again, your suggestion is baseless.
4) I wasn’t phished. I would never give out my login details, I actually mention in the post (that you didn’t read but still chose to comment on) that I verified the email reset communications were coming from a genuine Hilton address and also that they didn’t ask me to enter a new password then, that the perpetrators had already changed the information, but a smart half-reader like yourself would have known that, right?
5) I don’t determine what Google defines as news.
6) My account was actually compromised, not “almost” compromised so I am not sure that your lunch analogy makes any sense.
Same happened to me with IHG. Believe it or not they still use a 4 digit numeric PIN to access accounts. Unbelievable.
Just this week, I had my entire Hilton Honors account (790,000) “linked” to an Amazon account. I did receive the courtesy e-mail from Hilton regarding my Hilton account being linked to an Amazon account. However, the damage had already been done. The customer service with Hilton has been great and they have guaranteed the points will be reimbursed (it just hasn’t happened yet). I am very disappointed that Amazon is doing nothing to ensure the linked accounts are legitimate. If you do a google search on fraudulent linked accounts from Hilton to Amazon, it is obvious this is becoming a huge issue. This is very poor PR for Hilton and Amazon needs to implement a secondary security process for linked accounts.
I don’t understand why this is so difficult for Hilton. Perhaps their CISO or even the CTO/CIO should be fired? It’s 2019, 2FA/MFA have well known design patterns, technologies and commercial solutions. Comprehensive account breach handling procedures can be assembled via google by a motivated intern and written in a simple half page SOP for front line customer reps. There’s really no acceptable excuse for this. Does Hilton need a class action lawsuit or some law enforcement investigation before getting its IT security staff to do their jobs? With the number of security breach related laws at state, federal and international level, I suspect that’s just a matter of time.
I have had over a dozen fraudulent reservations made in my name and with my email address. I don’t travel much so I asked Hilton to cancel my Honors account. Someone opened another account in my name and continues to make reservations across the US and around the world. No one at Hilton will help me. I’ve called, chatted, emailed and completed online forms. Nothing from Hilton, except “sorry, we can’t help you”.
Keep trying to get ahold of the fraud department. They can look up the IP address that booked those stays.
Thanks for making this article. This is happening to me currently.
Hilton has a broken system.
Somehow these people can access peoples accounts by defeating the password. Change email and phone number and either spend your points if amazon is linked or making reservations.
When you contact HH customer care they can’t do anything for you as they use your email and phone number to verify your account. They then tell you to contact: HHFraudProtection@hilton.com who says they take 5 business days to respond. It’s been seven days and nothing.
The worst part is they don’t lock your account so in the the past seven days I’ve had 8 reservations made on my account 3 on one day and 5 o the other even though my account has supposedly been suspended since Aug 3rd 23 days ago.
Definitely not a fan of Hilton anymore.