LoyaltyLobby
  • News
  • Hotel Promos
    • Accor
    • Best Western
    • Radisson Rewards
    • Choice
    • Fairmont
    • Hilton
    • World of Hyatt
    • IHG Rewards
    • Marriott
    • Ritz-Carlton
    • Starwood
    • Wyndham Rewards
  • Reviews
  • Contact Us
  • Blog View
  •  
LoyaltyLobby
  • News
  • Hotel Promos
    • Accor
    • Best Western
    • Radisson Rewards
    • Choice
    • Fairmont
    • Hilton
    • World of Hyatt
    • IHG Rewards
    • Marriott
    • Ritz-Carlton
    • Starwood
    • Wyndham Rewards
  • Reviews
  • Contact Us
  • Blog View
  •  
LoyaltyLobby
No Result
View All Result
ADVERTISEMENT

Hilton HHonors Password Breaches Continue (Change Yours Again!)

by John Ollila
March 23, 2015
Reading Time: 3 mins read
2

Hilton HHonors has had serious issues with their website security that has resulted many members find that their accounts have been cleared out of points usually for merchandise.

Hilton HHonors Password Breaches Continue (Change Yours Again!)

Hilton first introduced CAPTCHA to combat the automated bots and then decided to ditch all the four number PINs that members have uses to access their accounts. Hilton even offered 1,000 points for members that change their password.

Here are previous articles about the Hilton HHonors account breaches:

ADVERTISEMENT

Hilton HHonors Account Breaches? (Accounts Emptied For Merchandise)

Hackers Selling Compromised Hilton HHonors Accounts Online

Hilton HHonors Tries To Combat Account Breaches By Adding CAPTCHA

Message To Hilton: I Am Not A Robot!

Hilton HHonors Dropping PINs & 1,000 Points For Updating Password February 19 – March 8, 2015

Now, KrebsonSecurity, website that deals with online security breaches, has reported an additional security flaw that Hilton had as recently as past week.

As long as you successfully logged to your account, you could then access any other HHonors member account, change the password and use the points the any way you saw fit. Hilton has apparently closed this flaw, but there may be others.

Here’s an excerpt from the KrebsonSecurity piece that you can access here:

The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.

I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.

“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.”

Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Conclusion

Let’s hope that Hilton would have finally patched their website and that further password changes would not be required.

Previous Post

Marriott eBreaks For March 26 – 29, 2015 (20% Off This Coming Weekend)

Next Post

AirAsia Big Sale For Travel Between September 1 – May 31, 2016 (Book By March 29)

Related Articles

Hilton Honors Double Your Stay Promotion For Stays September 6 – December 31, 2022

Hilton Honors Double Your Stay Promotion For Stays September 6 – December 31, 2022

John Ollila
August 17, 2022
14

Hilton has launched its latest Honors member bonus promotion called Double Your Stay, valid for stays September 6 – December...

Does Hilton Honors Offer Late Check Out Benefit For Elite Members?

Does Hilton Honors Offer Late Check Out Benefit For Elite Members?

John Ollila
August 16, 2022
36

Many hotel loyalty programs offer late checkouts, some even early ones for elite members. The guaranteed late checkout tends to...

Top Hotel Promotions August 2022

Top Hotel Promotions August 2022

John Ollila
August 9, 2022

Here is an updated look at the top 5 most lucrative hotel promotions you can take advantage of this August....

Upgrade Your Travel IQ

Make the most of your travel with our free and daily newsletter with the latest hotel and airline news and promotions.

We do not sell or share email addresses.

ADVERTISEMENT

Trending

Hilton Go Employee And Friends & Family Rate Plans
Hilton Honors

Hilton Go Employee And Friends & Family Rate Plans

July 25, 2021
Marriott Bonvoy Bonus Points & Rates Update April 2021
Marriott Bonvoy

Marriott Bonvoy Targeted Bonus Offers Through October 31, 2022 (Post Yours!)

August 18, 2022
IHG One Rewards Up To 30,000 Bonus Points For Stays September 1 – 30, 2022
IHG Rewards Club

IHG One Rewards Up To 30,000 Bonus Points For Stays September 1 – 30, 2022

August 19, 2022
Thailand Extends Visa on Arrival Fee Exemption For Tourists From 21 Countries Including China & India
Thailand

Confirmed: Thailand Extends Visa On Arrival And Visa Exempt Stay Period From October

August 19, 2022
Hilton Honors Double Your Stay Promotion For Stays September 6 – December 31, 2022
Hilton Honors

Hilton Honors Double Your Stay Promotion For Stays September 6 – December 31, 2022

August 17, 2022

Top Categories

  • IHG Rewards Club
  • Marriott Bonvoy
  • Hilton Honors
  • Accor ALL
  • Airfare Of The Day
  • Starwood Preferred Guest (SPG)
  • Hyatt – World of Hyatt
  • American Airlines – AAdvantage
  • Travel News
  • United Airlines – Mileage Plus
ADVERTISEMENT

All Categories

In Case You Missed It

Suite Saturdays: Lake Front Junior Suite @ The Ritz Carlton – Hotel de la Paix, Geneva

Suite Saturdays: Lake Front Junior Suite @ The Ritz Carlton – Hotel de la Paix, Geneva

August 13, 2022
World Of Hyatt Double Points September 15 – December 20, 2022

World Of Hyatt Double Points September 15 – December 20, 2022

August 16, 2022
Iberia Plus Extends Member Tiers Through March 2023

Iberia USD Gift Cards Up To 15% Off Until August 21, 2022

August 16, 2022
ANA Mileage Club Double Premium Points August 1 – December 31, 2022

ANA Mileage Club Double Premium Points August 1 – December 31, 2022

August 17, 2022
Alaska Airlines & Qatar Airways Frequent Flier Partnership Launch December 15, 2020

Qatar Airways 20% Off Birthday Offer Ex-Europe (Check Your Email)

August 15, 2022
ADVERTISEMENT

Since 2011, we have been helping millions of visitors like you untangle travel loyalty programs for free upgrades, flights and hotel nights.

Facebook Twitter Youtube Instagram

Site Navigation

  • About LoyaltyLobby
  • News
  • Reviews
  • Airfares
  • Contact Us

Hotel Promotions

  • Accor
  • Hilton
  • IHG Rewards
  • Marriott
  • World of Hyatt

Sign Up For Our Newsletter

Our free daily newsletter sends you the latest information on hotel and airline programs.

We do not share or sell email addresses.

Site & Contents ©2011-2022 LoyaltyLobby.com
Terms of Use & Privacy Policy

  • News
  • Hotel Promotions
    • Accor
    • Best Western
    • Choice
    • Fairmont
    • Hilton
    • IHG Rewards
    • Marriott
    • Radisson Rewards
    • Ritz-Carlton
    • Starwood
    • World of Hyatt
    • Wyndham Rewards
  • Reviews
  • Contact Us
  • Blog View
No Result
View All Result

© 2011–2021 LoyaltyLobby.com - Site & Contents