The Hilton HHonors Hack: Loyalty Programs Under Siege and How to Protect Yourself

NEW YORK (MainStreet) - Business traveler online message boards have been on fire in recent days as members of the Hilton HHonors program post that their accounts have been hacked and their valuable points stolen.  

Huge buckets of Hilton points - sometimes in the hundreds of thousands - have shown up in hacker bazaars, where one vendor, for instance, offered 250,000 points for $3.50. At the Hilton shopping mall, an Apple iPad Air 64G is yours for 489,000 points - so at that criminal exchange rate, maybe $7 (payable in Bitcoin) will grab it. There are other, reported cases where around $10 in Bitcoin bought enough points to claim over $1,000 in hotel room nights.


WATCH: More personal finance videos on TheStreet TV | Questions abound: Who's behind this hack? Is Hilton HHonors now safe? And maybe the most worrisome question - are other loyalty programs also vulnerable?

Know this: loyalty programs, for their active members, are viewed as a currency with at least as much reality - in users' minds - as crypto currencies such as Bitcoin.

That makes the how of the attack particularly worrisome, said Ken Westin, an analyst with security company Tripwire. He explained that apparently the hackers - who may have been so-called "script kiddies," that is, technologically unsophisticated criminals who buy the programs they need to hack into a site - acquired user IDs of Hilton HHonors members, then used brute force attacks to guess the PIN. Hilton HHonors PINs are four digits, so, mathematically, it is not a daunting task for a machine to muscle its way in.

Hilton has not commented on the mechanics of the hack. However, in early October, the company did install CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart - on the HHonors log-in page. CAPTCHA usually is said to be the cheapest and most straightforward way to attempt to thwart brute force attacks.

As for what Hilton has said on the record, it is that "a small number of member accounts were impacted and we have reimbursed any points they lost," said a spokesperson.

A source who claimed knowledge about the hack said that perhaps 1,600 HHonors accounts were taken over. Other sources said they believed many more accounts than that have been compromised. Either way, however, remember, the program has upwards of 42 million members, and nobody believes more than a sliver were taken over. 

But Westin has worse news. According to him, few - maybe none - of the many loyalty programs we all belong to have better than marginal security features. That means hotel, airline, even drugstore and fast food loyalty programs.

"When companies don't have to put money into security, most don't," said Westin. He elaborated that - although avid members see their points as cash equivalent - there are no government mandated security requirements (as there are for safeguarding credit card data, for instance).

"Hackers will go after other loyalty programs," said Westin. "This is low hanging fruit. I will be willing to bet we will see similar attacks."

What do you need to do to protect your piles of points at HHonors and elsewhere? Advice for HHonors members from Josh Chin, executive director at cybersecurity company Net Force, is change your password now. Don't dawdle.

Chin, who identified himself as an HHonors member (although he said his account was not compromised), added: "If HHonors customers used the same password for the email account associated with their HHonors account, they need to change their password to a unique password." In other words assume your HHonors account has been compromised. It almost certainly has not been but assume the worst and take the steps needed to protect yourself.

Chin also advised monitoring account activity and of course blowing the whistle if you see unauthorized purchases. That's crucial. Most of us eyeball loyalty programs only when we are hoping to cash in points for an award - and that may be every few years in some cases. But the loyalty programs, sources said, are relying on impacted members to detect theft and to howl accordingly. So do just that.

When you've done that at Hilton, cycle over to Starwood, Marriott, American Airlines, United Air, and all the other loyalty programs you belong to. Change passwords and - importantly - use different passwords at each site. In an age of hacks, compromise has to be anticipated and you don't want one hack to unlock all your secrets which is what will happen when a password is used over and again.

That's because the takeway message from the HHonors hack is that criminals have figured out what the rest of have known for years: there's real value to be had in loyalty programs.

-Written by Robert McGarvey for MainStreet

More from Credit Cards

What Is the Prime Rate? Definition, History and Rate in 2018

What Is the Prime Rate? Definition, History and Rate in 2018

How to Make a Budget: 7 Easy Steps to Use Now

How to Make a Budget: 7 Easy Steps to Use Now

13 Money-Saving Apps That Put More Into Your Wallet

13 Money-Saving Apps That Put More Into Your Wallet

Protect Yourself From These 6 IRS Tax Scams in 2018

Protect Yourself From These 6 IRS Tax Scams in 2018

12 Simple Ways to Improve Your Credit Score in 2018

12 Simple Ways to Improve Your Credit Score in 2018