• Home
  • Reviews
    • Flight Reviews
    • Hotel Reviews
    • Lounge Reviews
    • Trip Reports
  • About
    • Press
  • Contact
  • Privacy
  • Award Expert
  • Advertising Disclosure
Live and Let's Fly
  • Home
  • Reviews
    • Flight Reviews
    • Hotel Reviews
    • Lounge Reviews
    • Trip Reports
  • About
    • Press
  • Contact
  • Privacy
  • Award Expert
  • Advertising Disclosure
Home  >  Hilton • Hilton HHonors  >  My Hilton Account Was Hacked, Hilton Needs Improvement
HiltonHilton HHonors

My Hilton Account Was Hacked, Hilton Needs Improvement

Kyle Stewart Posted onMay 12, 2019September 14, 2021 27 Comments

I have been a Hilton Hotels Diamond in their Honors loyalty program for several years and was horrified to see the telltale signs my account had been hacked. I acted quickly and identified the fraud, it’s a shame Hilton didn’t act as swiftly.


If you are considering booking travel or signing up for a new credit card please click here. Both support LiveAndLetsFly.com.


If you haven’t followed us on Facebook or Instagram, add us today.

Catching Them Quickly

Hilton sent me an email to let me know my email address on file had changed. My thought process went something like this:

Um, no. I didn’t do that.

Is this a genuine Hilton email? [looked at sender address and logged into account]

NOOOOOOOOO!

The hackers had time to add a new email address. Had I not seen the email come through, it would have likely been too late to stop them before a withdrawal occurred. Checking my email when it chimed was a stroke of convenient luck.

How I Stopped Them

I immediately called Hilton while I logged into my account online. My saved password was still working to that point and while I sat on hold for about two minutes I witnessed the perpetrator’s action as they made adjustments to my account.

I took a screenshot of my balance and explained the issue to the rep. The email address that was added looked similar to others on my file. The domain was USA.com and this has happened often enough but with other scams that USA.com has this statement on the matter. The agent knew what to do, filed the report and stated my account was locked down. I would hear from Hilton’s fraud team the next morning (it was nearly midnight when I called in.) Satisfied, I hung up.

Hilton Didn’t Actually Lock The Account

The rep filed the fraud claim but since no points had been stolen yet, there were no notes on the report as it was conveyed to me. I called back in two days later since I had heard nothing. I asked the agent about the fraud report.

“Which reservation in Atlanta tonight is fraudulent?” she asked.

“All of them. What do you mean? My account was locked down since the fraud claim was filed.” I was less than calm at this point.

“Yes of course. So you made the 500,000 point transfer to Points.com and then the two reservations were made?” She asked.

“No. Anything after the point in which I filed the fraud claim and you told me my account was locked down was not me. I was locked out of my account due to the password change.” A silence filled the line for a moment.

She then put me on hold and got a supervisor. Within twenty seconds the line went dead and I waited for them to call me back. By not correctly locking down the account, Hilton exposed themselves to costs that I am not responsible for covering, so what benefit is there in not locking the account down instantly?

The Rep That Got It Right

After twenty minutes I tried them again, got a different representative, Linda. I was irate at this point and she did a great job of both handling my issue and my frustration. Instead of waiting for fraud prevention to reach out, she corrected my email address, reset my password, freezing the fraudsters out of my account and refunded the spent points, over 600,000 in two days.

Waldorf-Astoria Casa Marina, Key West, FL
Waldorf-Astoria Casa Marina, Key West, FL

She also froze my account successfully (though there was little need to do so at that point) and I continue to await the fraud team to reach out via email (not phone) to open the account back up.

She contacted the hotels that had guests checked in under my account number (they likely checked in with the app). The perpertrators were in the rooms at the time (two Atlanta properties) and the authorities were called while I was on hold.

Hilton Needs To Tighten Security

IHG accounts have been rampantly hit with points theft over the last few years. I’m not going to say it’s because they hate their elites, but I will say that their IT staff probably needs to find something they are good at and do that. IHG passwords are still four-digit pins. That’s it. Hilton doesn’t allow for special characters and limits the length of a password. That should change.

The chain also needs to add two-factor authentication.

In the last couple of weeks, others have reported Hilton account hacks. The first rep could have done all the things the third rep did and stopped Hilton paying out to Points.com and a franchisee for the rooms in Atlanta. Why isn’t there an ability for me to freeze and un-freeze (thaw?) my account myself? Hilton could improve training so that the fraud department may not have to be involved at all.

Hold times on the Diamond Desk were short, just two minutes or so, but why not have a chat feature for account activity issues?

Waldorf-Astoria BKK lobby
Waldorf-Astoria BKK lobby

The Hilton App Could Help

The App should also issue a notification that says: “Your (X) has changed. If you’ve not requested this change click this link.” Consider for a moment that guests can select your room, use the app and a smartphone as a room key which may be unlocked by facial recognition or fingerprint. It’s more secure than their password, why not trust notifications to alert people sooner than email – it seems archaic.

Has this happened to you? What did you do about it? Have you had other accounts hacked and how did you and the brand respond? 

Come see Matthew and me at FTU Chicago.

The weekend of sessions is available for just $249 and if you use my affiliate link you can save another $25with discount code SPRING when you purchase before May 13th at midnight PST. Both days include lunch, coffee, and iced tea, and a pizza welcome dinner the evening prior (May 31st) to the first 75 who sign up.

Previous Article American Airlines Employee Unions Failing Membership
Next Article Ask The Pilot: When Lighting Strikes An Airplane

About Author

Kyle Stewart

Kyle is a freelance travel writer with contributions to Time, the Washington Post, MSNBC, Yahoo!, Reuters, Huffington Post, MapHappy, Live And Lets Fly and many other media outlets. He is also co-founder of Scottandthomas.com, a travel agency that delivers "Travel Personalized." He focuses on using miles and points to provide a premium experience for his wife and daughter. Email: sherpa@thetripsherpa.com

Follow us on FacebookFollow us on Twitter

Related Posts

  • Hilton Shreveport bed

    Review: Hilton Shreveport

    March 26, 2023
  • Waldorf's take on eggs Benedict with truffle sauce and caviar

    Extending Hilton Diamond Status For Three Stays (Or Less)

    January 29, 2023
  • hilton diamond status

    What You Need To Know About Hilton Honors Diamond Status

    January 16, 2023

27 Comments

  1. Christian Reply
    May 12, 2019 at 2:17 pm

    Did the thieves get arrested? Please say yes.

    • Jamie burgos Reply
      October 24, 2020 at 8:39 am

      Somebody was checking your number my room and it was different credit cards are my girl and they did nothing you know what they did they cancel my account and a frog theme or not even respond to me as a human trafficking or using my counts for something crazy does anybody have any advice because I cannot get past this fraud department they will not write me back and tell me what rules are violated after I complained all the sudden I’m in violation

  2. Thomas Reply
    May 12, 2019 at 2:41 pm

    My password is plenty long and uses special characters so the claim that Hilton doesn’t allow them is incorrect.
    Sorry you had to endure this and glad you shared with us your experience, even as a “it can happen to you ” warning.

    • Josh Reply
      May 12, 2019 at 10:07 pm

      I’ve had my Hilton account hacked twice in the past 3 months. Be careful to watch the points balance; now that you can pay for Amazon purchases with HHonors points at 0.5c each, they’ll suck them out via Amazon purchases. I had 21,000+ stolen (and they added not 1, but 3 additional emails and made mine the non-primary)

  3. Tim A Reply
    May 12, 2019 at 3:18 pm

    It’s ironic that as annoying as Hilton is with the recaptchas, they still get hacked. I’ve almost stopped using their website because I’m tired of identifying bicycles and stoplights.

    • Nicole Reply
      May 12, 2019 at 4:39 pm

      Yes and often I have to do it multiple times!

    • Ron Reply
      May 12, 2019 at 5:23 pm

      Same. Super annoying and apparently useless.

    • Peter Dunn Reply
      May 13, 2019 at 11:55 am

      Yes, I spendy life picking out storefronts bicycles and stop lights. It is a moronic system.

  4. Dustin Reply
    May 12, 2019 at 3:52 pm

    I got an email saying I added my Hilton honors account to my Amazon account. Or something to that effect. Called Hilton about it the date after. They said “everything is fine”. Two days later 550k points were gone.

  5. Michael M Reply
    May 12, 2019 at 4:12 pm

    My account was hacked recently as well, and 500k points were transferred but I was able to catch it. A day later they tried linking it to make an Amazon purchase. The Hilton website said that I should get in touch with Amazon directly. I tried doing so but the first rep did not understand that I talking about credit card points no matter how many times I explained. The supervisor I asked for did, but said since nothing has been purchased they couldn’t do anything and I had to contact Hilton Honors. So I called Hilton this time and they managed to lock the account and sent me my new account 2 days later and assure me my points were intact. But their responses were so slow over the website and email, and generic templates.

  6. Nicole Reply
    May 12, 2019 at 4:37 pm

    I am a Hilton employee and I have been hacked twice! Once about 2 years ago someone stole my points and transferred them to a 3rd party website where you can redeem loyalty program points or miles for gift cards. I got my points returned the next day and we changed my password and Honors number. Then back in January I went on my app and noticed an upcoming stay for a hotel in Delaware (I live in PA) in June. I was confused because this was booked under my team member discount/website and wasn’t me. I cancelled the reservation and contacted fraud. It took 3 months to get my Hilton Honors app back up and running. My mother and I have both been recently hacked on Amazon.com where random items have been puchased with our card on file and sent to us. Our money was promptly refunded, passwords were changed, and I got a free cheese grater. Lol

  7. SHAWNA Preston Reply
    May 12, 2019 at 5:28 pm

    Interesting . Diamond elite. The system delays the points pulled so we do have time if suspicious activity is claimed. The terms and conditions page which you agree to provides the liability of you the account holder and hilton .the provider. Read it . So few are aware of its terms. We welcome all communication in resolving fraud. We do take it seriously despite this particular incident from the perspective of the account holder. With over millions of subscribers and enrollees’ , it’s statistically not 100% fool proof. Nor is any system. We strive though.
    I believe you in making public this snafu and wish to remind folks it’s not the norm. It is the norm to be proactive which sounds like both sides were.

  8. Aztec Reply
    May 12, 2019 at 6:19 pm

    You go back and forth in one paragraph writing of how IHG security is lacking. How does this relate to Hilton security? Are you just referencing another hotel chain to make some point that Hilton should have known better? If so, you should have provided some kind of tie-in or at least some kind of explanation.

    • Richard Allen Reply
      May 12, 2019 at 7:42 pm

      IHG is the parent company of Hilton.

      • Kyle Stewart Reply
        May 12, 2019 at 7:47 pm

        It’s not, but I link to another post where there should be info about the numerous attacks IHG has had and how despite such they continue to use just a four-digit pin that they assign.

  9. Steve Reply
    May 12, 2019 at 6:54 pm

    My account was hacked back in January. Over 1 million points were wiped out in an Amazon purchase. Same thing happened with me, email was changed and account was locked. The odd thing is my account was hacked just days after I booked a hotel stay in Santo Domingo using points. My Hilton Amex wasn’t touched. I contacted Hilton and after 45 minutes on the phone and information verification, they changed my email and we figured out I was hacked.

    It took 3 weeks to get my points back, and they ended up changing my account number, but I really don’t feel like their system is safe.

  10. Paul C. Reply
    May 12, 2019 at 7:08 pm

    My number was linked to someone’s Amazon account and they made purchases totalling 382K points. After contacting fraud and they completed their investigation, my points were refunded after about 12-14 days and issued a new HH number. Got my points back, annoying that my all my past stays and point activity history are wiped.

  11. Michael Reply
    May 12, 2019 at 7:39 pm

    I have three letters for Hilton: 2FA

  12. Ed F Reply
    May 12, 2019 at 7:57 pm

    My Hilton password has special characters, not sure where you got the password criteria from.

  13. Silky Johnston Reply
    May 13, 2019 at 11:31 am

    After working for a Hilton property for a LONG time, let it be known that any story that starts with the author stating their “diamond” status in the Hilton honors program ends with them whining incessantly about something until they get their way. I couldn’t even finish reading the article because anyone “smart” enough to make the kinda money it takes to become a diamond member, shouldn’t be STUPID enough to get phished.
    In fact, when did this become news? There was a long to this story on Google NEWS! Almost getting hacked? This just in… Yesterday I ALMOST ate a hamburger, but choose salad instead I ordered a salad…

    • Kyle Stewart Reply
      May 13, 2019 at 11:59 am

      @Silky – Some of your broad assumptions are patently false. Allow me to clarify:

      1) Diamond membership is listed simply to state that I am not new to their system, I know it well. Your inference that I am automatically a guest that will whine “incessantly” is baseless for me personally, but your prejudice perhaps highlights why elite guests need to ask for benefits in the first place.

      2) Anyone “smart” enough doesn’t relate to my personal wealth or lack thereof.

      3) One could be a reasonably paid employee forced to stay out of town for an extended period of time as part of their work with work footing the bill. Again, your suggestion is baseless.

      4) I wasn’t phished. I would never give out my login details, I actually mention in the post (that you didn’t read but still chose to comment on) that I verified the email reset communications were coming from a genuine Hilton address and also that they didn’t ask me to enter a new password then, that the perpetrators had already changed the information, but a smart half-reader like yourself would have known that, right?

      5) I don’t determine what Google defines as news.

      6) My account was actually compromised, not “almost” compromised so I am not sure that your lunch analogy makes any sense.

  14. Santastico Reply
    May 13, 2019 at 1:39 pm

    Same happened to me with IHG. Believe it or not they still use a 4 digit numeric PIN to access accounts. Unbelievable.

  15. SBrady Reply
    June 13, 2019 at 10:17 pm

    Just this week, I had my entire Hilton Honors account (790,000) “linked” to an Amazon account. I did receive the courtesy e-mail from Hilton regarding my Hilton account being linked to an Amazon account. However, the damage had already been done. The customer service with Hilton has been great and they have guaranteed the points will be reimbursed (it just hasn’t happened yet). I am very disappointed that Amazon is doing nothing to ensure the linked accounts are legitimate. If you do a google search on fraudulent linked accounts from Hilton to Amazon, it is obvious this is becoming a huge issue. This is very poor PR for Hilton and Amazon needs to implement a secondary security process for linked accounts.

  16. joe y. Reply
    July 30, 2019 at 12:42 pm

    I don’t understand why this is so difficult for Hilton. Perhaps their CISO or even the CTO/CIO should be fired? It’s 2019, 2FA/MFA have well known design patterns, technologies and commercial solutions. Comprehensive account breach handling procedures can be assembled via google by a motivated intern and written in a simple half page SOP for front line customer reps. There’s really no acceptable excuse for this. Does Hilton need a class action lawsuit or some law enforcement investigation before getting its IT security staff to do their jobs? With the number of security breach related laws at state, federal and international level, I suspect that’s just a matter of time.

  17. Beth Reply
    August 4, 2019 at 8:15 pm

    I have had over a dozen fraudulent reservations made in my name and with my email address. I don’t travel much so I asked Hilton to cancel my Honors account. Someone opened another account in my name and continues to make reservations across the US and around the world. No one at Hilton will help me. I’ve called, chatted, emailed and completed online forms. Nothing from Hilton, except “sorry, we can’t help you”.

    • Kyle Stewart Reply
      August 4, 2019 at 9:30 pm

      Keep trying to get ahold of the fraud department. They can look up the IP address that booked those stays.

  18. Kelz Reply
    August 26, 2021 at 5:48 pm

    Thanks for making this article. This is happening to me currently.

    Hilton has a broken system.

    Somehow these people can access peoples accounts by defeating the password. Change email and phone number and either spend your points if amazon is linked or making reservations.

    When you contact HH customer care they can’t do anything for you as they use your email and phone number to verify your account. They then tell you to contact: HHFraudProtection@hilton.com who says they take 5 business days to respond. It’s been seven days and nothing.

    The worst part is they don’t lock your account so in the the past seven days I’ve had 8 reservations made on my account 3 on one day and 5 o the other even though my account has supposedly been suspended since Aug 3rd 23 days ago.

    Definitely not a fan of Hilton anymore.

Leave a Reply

Cancel reply

Search

Recent Posts

  • United Airlines Crew Hold Times
    Flight Attendants At United Airlines Asked To Self-Report Poor Service Via “Marginal Service Reports” March 27, 2023
  • Waldo Delta LAX
    “Where’s Waldo?” Jumps Out Of Delta 737-800 At LAX, Scoots Down Exit Slide March 27, 2023
  • Hilton Frankfurt Airport Review
    Review: Hilton Frankfurt Airport March 27, 2023
  • Thai entry requirements
    Thailand Entry Requirements: Updated Website March 26, 2023

Categories

Popular Posts

  • Kayleigh Scott United Airlines
    The Tragic Death Of A United Airlines Flight Attendant March 21, 2023
  • United Airlines Domestic First Class Menu
    United Airlines Refreshes Domestic First Class Menu February 28, 2023
  • Southwest Airlines Wife Slap
    Enraged Husband Attacks Man On Southwest Airlines Flight After He Bumps Wife March 8, 2023
  • United Polaris Lounge LAX Review
    Review: United Airlines Polaris Lounge Los Angeles (LAX) March 24, 2023

Archives

March 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb    

As seen on:

live_and_lets_fly

The new United Polaris Lounge at Washington Dulles The new United Polaris Lounge at Washington Dulles is the most beautiful of all Polaris Lounges. Stay tuned for a detailed look and many more photos on the blog tomorrow. Well done @united.
@malaysiaairlines just announced it would retire i @malaysiaairlines just announced it would retire its A380 fleet. While not surprising, it is sad to see the growing list of carriers retiring this superjumbo jet. On Malaysia Airlines, I flew the #A380 once from Kuala Lumpur (KUL) to London (LHR) and had the entire first class cabin to myself (full review on the blog). It was a beautiful flight that I will always remember.
Welcome to @fly_bur @aveloair! I am so excited tha Welcome to @fly_bur @aveloair! I am so excited that a new carrier, Avelo, has launched, especially from an airport just 12 minutes from my home!
I greatly miss the @lufthansa #747-8 at @flylaxair I greatly miss the @lufthansa #747-8 at @flylaxairport. Hopefully this summer it will return.

.
.
.
.
#Lufthansa #FirstClass #747 #747-8 #StarAlliance #Miles #Points
I recently spent a weekend at the @ventanabigsur. I recently spent a weekend at the @ventanabigsur. This is not only a lovely, all-inclusive resort, but one of the best properties to use your @hyatt World of Hyatt points.
.
.
.
.
#Hyatt #BigSur #California #WorldofHyatt #CA-1 #Points #Hotels
In terms of a spacious first class product, the @E In terms of a spacious first class product, the @Emirates suite on a 777-300ER is hard to beat. My preference is Suite 2K.

.
.
.
.
#Emirates #777 #firstclass
Nearly five years ago, I took a “break” from I Nearly five years ago, I took a “break” from Instagram ahead of the birth of my first child. Goodness, how time flies. While I’ve enjoyed catching up on others over the years, now it is time for me to return to Instagram. In this first post, I highlight two joys in my life, my two children, whom I trust will grow up to be prolific travelers that circumnavigate the globe as ambassadors of love and respect.

.
.
.
.
.

#travel #airplanes #airlines #miles #points #familytravel #human #integrity #honor
United Airlines' new Polaris seat is a huge improv United Airlines' new Polaris seat is a huge improvement over UA's current business class seat. Check out my blog at liveandletsfly.com for 70+ photos of how @united is transforming its entire business class experience starting this December!
The perfect @flysas name tag for #Longyearben! The perfect @flysas name tag for #Longyearben!
Spotted four #polarbear outside of #longyearbyen - Spotted four #polarbear outside of #longyearbyen -- oh, and I love 40°F summer weather!
One of the best crews I have ever had the pleasure One of the best crews I have ever had the pleasure of flying with in all my years of flying. Thank you @flysas SK940 on 11 Aug 2016
Next stop ARN! But dear @flysas , next time if I a Next stop ARN! But dear @flysas , next time if I assign a window seat months in advance, don't move me to a center seat "for my convenience" with no way to get my original seat back... 😞
Ready for #PIA from #MAN to #JFK -- we will be rac Ready for #PIA from #MAN to #JFK -- we will be racing the #Delta flight to JFK at the gate next to us, which also departs at 12:45p. With @onemileatatime
Another room with a beautiful view... #hyattregenc Another room with a beautiful view... #hyattregencycasablanca #cassablanca #hyatt
Enjoying #shanghai with @onemileatatime from the i Enjoying #shanghai with @onemileatatime from the inside of the @grandhyatt_shanghai ... It is 40°C outside! 😓
From my front gate to my boarding gate in 15 minut From my front gate to my boarding gate in 15 minutes flat. I ❤️ #bur #burbankairport
@malaysiaairlines #747 out of retirement and in se @malaysiaairlines #747 out of retirement and in service at #kul -- beautiful livery!
View from my 61st floor room at the beautiful bran View from my 61st floor room at the beautiful brand new @parkhyattguangzhou -- look for a full review coming soon on the blog #hyatt #parkhyatt #guangzhou #parkhyattguangzhou
Will miss the @united #globalfirstlounge at #ord, Will miss the @united #globalfirstlounge at #ord, which closes tomorrow and the Queen of the Skies #747 which will be retired in 2018.
The colonial #architecture of #mumbai is stunning. The colonial #architecture of #mumbai is stunning. If you're ever here, get up at 5am and have a walk around the city before it gets busy. You can hear the birds instead of honking horns.
Load More... Follow on Instagram
facebook twitter instagram rss

This site is for entertainment purposes only. The owner of this site is not an investment advisor, financial planner, nor legal or tax professional and articles here are of an opinion and general nature and should not be relied upon for individual circumstances.

 

Advertiser Disclosure: Some links to credit cards and other products on this website will earn an affiliate commission. Outside of banner ads published through the Boarding Area network, this compensation does not impact how and where products appear on this site. While we do try to list all the best miles and points deals, the site does not include all card companies or credit card offers available in the marketplace. Please view our advertising policy page for additional details about our partners.

 

Editorial Disclosure: The editorial content on this page is not provided by any entity mentioned herein. Opinions expressed here are the author's alone, and have not been reviewed, approved or otherwise endorsed by any of these entities.