Pretty much any collection of online security tips will remind you not to use the same password across multiple accounts, and this week's news that scammers have managed to hijack and steal points from large numbers of Starwood Preferred Guest loyalty accounts offers another example of why.
Security blogger Brian Krebs reported today that he'd personally heard complaints from two of his readers whose SPG accounts had been hijacked. As Krebs diplomatically explained: “The spike in fraud appears to be tied to a combination of password re-use and the release of [a] tool that automates the checking of account credentials at the Web site for the popular travel rewards program.”
About a week ago, some anonymous member of an English-language hackers' forum released a free, Starwood-specific bit of software enabling would-be thieves to automatically check stolen credentials from other accounts against Starwood's.
When hackers successfully steal the password to one of your accounts, they'll try plugging that password into your other accounts on the off-chance it will work. And, as news reports like this indicate, it all-too-often does. Barely two weeks ago, hackers used passwords taken from other accounts to steal frequent-flyer miles from United and American Airlines passengers. Last autumn, up to 7 million Dropbox customers had their accounts hacked (and documents compromised) the same way.
Thus far, it's not known how many SPG accounts have been compromised, but if you have such an account, with a shared password, you definitely should log in and check your account status at once. Or at least try to; if your account is among the hijacked ones, chances are you won't be able to access it at all.
Points for sale
Krebs notes that less than 24 hours after that anonymous hacker-helper released the Starwood account-checking tool on the hackers' forum, forum members were offering to sell compromised Starwood account info at prices that are. Quite literally, a steal: a Starwood account with 70,000 points selling for $3, another account with 40,000 points going for $1.50.
According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.
Starwood does offer customers the option to receive email or text message alerts when account changes are made. But the tutorial on Leakforums encourages buyers to change the email address, password and other contact information on the victim’s account, effectively locking out the legitimate user.
However, there is good news for Starwood account holders: a Starwood executive said that any points lost to fraud will be refunded. Meanwhile, whether you have a Starwood Preferred Guest account or not, take this story as a nother reminder not to use the same password for more than one account — especially not accounts with actual monetary value.