Marriott sent the following email two weeks ago about unauthorized attempts to access some accounts. There has been reports from people who have had their Marriott accounts drained out of points.
What is Marriott doing wrong here?
This is exactly the type of email that someone trying to access your account would send you. It did have my name and it came from an email address that appeared to be from Marriott (marriott-email.com), but then thieves would use similar domain names as well.
You should NEVER click an email that asks you to change your account password unsolicited. Period. Never. If you receive an email like this, you should just open a browser window, type the URL address and then change the password.
Many of the airline and hotel programs have partnerships with merchants for exchanging your points and miles to electronics, although at the very bad value, but the thieves would care less. They can buy the Apple and Sony products using your miles and then resell them for hard cash easily.
It would be ideal to have account specific passwords, but who can remember different password for each and every website that requires them?
Try to be careful with your account passwords and using public computers in airline and hotel lounges to access your accounts is a very bad idea. Some of those machines might have key loggers and other malware installed that can record the typing you do.