Hackers steal Hilton Hotels' loyalty program reward points


Check your Hilton HHonors account and any credit cards attached to it

If you're a frequent traveler who stays in Hilton hotels and collects reward points through the Hilton HHonors loyalty program, be warned: hackers have managed to access at least some of those accounts, and cash out people's reward points.

In at least some instances, they've also been able to post fraudulent charges on credit cards associated with those Hilton loyalty accounts.

Security blogger Brian Krebs tells the story of Brendan Brothers, a Canadian man who, somewhat ironically, co-owns a software security firm focusing on fraud detection. Brothers checked his Hilton account a few days ago and discovered nearly a quarter-million rewards points had gone missing; the thieves had used them to pay for a half-dozen hotel stays at Hilton properties up and down the East Coast.

After spending all the rewards points in the account, the thieves then used the corporate credit card attached to that account to buy still more reward points for themselves.

Though Brothers is disputing those charges with his credit card company, he says he hasn't heard from Hilton about the fate of his stolen reward points.

Big discount

On Oct. 30, the Loyalty Lobby blog (“Making sense of travel loyalty programs”) reported that hackers were selling compromised HHonors reward points online for a tiny fraction of their non-stolen value: up to 100,000 points for only $4.50.

Krebs surreptitiously checked other online crime forums, and calculated that the points stolen from Brothers, which the thieves ultimately used to get about $1,200 worth of hotel stays for themselves, probably would've sold for only $12.

How did the hackers manage to break into the Hilton accounts in the first place? It's possible that, at least initially, they cracked people's passcodes with a brute-force hacking, using software to systematically choose every possible password character combination until the right one is discovered (by “brute force”).

But on Oct. 8, Loyalty Lobby reported that Hilton had changd its rewards account login page to include a CAPTCHA field, speculating that it might be in response to possible brute-force password breaks. Presumably, that would preclude brute-force hacking as an explanation for any rewards points stolen after the CAPTCHA introduction.  

If you have a Hilton HHonors account, especially one you haven't used recently, you must check your account status at once to make sure you have the correct number of points, and also double-check any credit cards which might be attached to that account, either to pay for Hilton hotel stays or to buy further reward points.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.