Hilton HHonors Password Breaches Continue (Change Yours Again!)


Hilton HHonors has had serious issues with their website security that has resulted many members find that their accounts have been cleared out of points usually for merchandise.

Hilton HHonors Password Breaches Continue (Change Yours Again!)

Hilton first introduced CAPTCHA to combat the automated bots and then decided to ditch all the four number PINs that members have uses to access their accounts. Hilton even offered 1,000 points for members that change their password.

Here are previous articles about the Hilton HHonors account breaches:

Hilton HHonors Account Breaches? (Accounts Emptied For Merchandise)

Hackers Selling Compromised Hilton HHonors Accounts Online

Hilton HHonors Tries To Combat Account Breaches By Adding CAPTCHA

Message To Hilton: I Am Not A Robot!

Hilton HHonors Dropping PINs & 1,000 Points For Updating Password February 19 – March 8, 2015

Now, KrebsonSecurity, website that deals with online security breaches, has reported an additional security flaw that Hilton had as recently as past week.

As long as you successfully logged to your account, you could then access any other HHonors member account, change the password and use the points the any way you saw fit. Hilton has apparently closed this flaw, but there may be others.

Here’s an excerpt from the KrebsonSecurity piece that you can access here:

The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.

I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.

“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”

Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.


Let’s hope that Hilton would have finally patched their website and that further password changes would not be required.