Last week, I wrote (access here) about Hilton HHonors account breaches were member accounts were empties by ordering merchandise using points.
I criticized Hilton for having very lax online logging system that requires user name OR account number AND password OR four digit PIN. These PIN numbers are not very secured because majority of people use easy PIN combinations such as 0000 or 1234.
You can access Hilton’s website here.
Now, Hilton HHonors has tried to patch their insecure account log in system by adding a CAPTCHA when log in happens on their website. This is not requirement on their app, however.
Conclusion
I guess that this is an interim solution for the account breaches that have been happening at increasing level as of late. It is not clear, whether Hilton HHonors has been breached or if the hackers are purely using brute force attacks to guess the account number and PIN combinations.
