Update On My Hacked IHG Account

Update On My Hacked IHG Account

32

Last week I wrote about how I discovered that my IHG account had been hacked and almost 80,000 points were stolen. The agent on the phone told me that my account would be disabled for three to five business days while they investigated the incident.

The fraudulent redemptions on my IHG account

Sure enough, five days after that, they called me and told me that they restored the lost points in my account and were ready to reactivate it. They recommended that I change the e-mail address associated with the account, so I gave them a new one. I logged in and saw that my points were back.

Additional response from IHG

A couple hours later, I received an email from a person at IHG with the title “Executive Liaison.” It said:

Greetings from the Executive Office of IHG. The matter regarding the activity within your IHG Rewards Club Platinum Elite account has been forwarded to my attention for review.

I’m sorry that I wasn’t able to speak with you. I called your phone number but couldn’t reach you or leave a message. Programs such as IHG Rewards Club are occasionally the target of fraud. IHG takes the security of our members very seriously, and we implement active steps in order to maintain that security for our members and to prevent any loss. When a potential concern is brought to our attention, we take immediate action to protect both IHG and our members. Our standard protocol is for our internal Fraud department to complete an audit. While I understand your desire for additional information, we are unable to confirm any specific details of our investigations.

Moving forward, I do apologize for the delay in response from our Rewards Club center after your call about the activity in your account. I’m glad you were able to speak our Rewards Club office earlier today to change your email address and PIN, in addition to being advised of your points being returned and your account re-opened. Because of the frustration caused by the delayed response in gaining access to your account, I’ve deposited 15,000 points into your account. I know you would have preferred to have had access to your account and the points you’ve earned sooner, and for that I apologize. We do encourage you to ensure your IHG account is linked to a secure email address with 2 factor security authentication enabled, and that the security of your PIN is safeguarded.

If you want to discuss your concerns about this situation in more detail, please feel free to contact me at xxx-xxx-xxxx. I’m available Monday through Friday, 9 AM to 6 PM, Mountain Standard Time. In the event that I’m unavailable, please leave a message with your number and time when I can reach you.

Thank you for being an IHG Rewards Club Platinum Elite member. I hope we have the opportunity to host you as our guest soon.

Overall I was impressed with this response – 15,000 points was a nice show of good will, especially considering that I never complained to IHG about the length of time my account was frozen (it was less than a week, and that doesn’t seem unreasonable to me).

The ongoing concern

As many people pointed out in the comments of my previous post, the area where IHG really needs to improve is in account security. A few of the areas where IHG doesn’t seem to follow best practices are:

  • A four-digit PIN serves as your password, and you can log in with just the PIN and your account number or the email associated with your account
  • IHG doesn’t send an email to your previous e-mail address when the e-mail address associated with your account is updated
  • When you reset your PIN, they email a new PIN to you, meaning that if you don’t change it, your IHG account is vulnerable if your email is hacked
IHG login screen

Is it really cheaper for IHG to keep restoring points stolen from breached accounts than it would be for them to just invest in better account security? Haven’t high-profile breaches at companies like Target and Equifax taught organizations that data security is a worthwhile investment?

C’mon, IHG.

How can you protect yourself?

A few people in the comments on last week’s post mentioned AwardWallet, which notifies you when a redemption has been made on any of your linked accounts. That’s a good way to keep track of fraudulent activity across all your loyalty accounts.

You should also try to log into your accounts every month or so (had I done that, I would have caught this sooner), and change your PIN every now and then.

Do you have any other suggestions for how to safeguard your travel accounts from unauthorized access?

Conversations (32)
The comments on this page have not been provided, reviewed, approved or otherwise endorsed by any advertiser, and it is not an advertiser's responsibility to ensure posts and/or questions are answered.
Type your response here.

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Anyone can comment, and your email address will not be published. Register to save your unique username and earn special OMAAT reputation perks!

  1. alex Guest

    Why not add 2FA? Password alone is not secure enough.

  2. Keyser Soze New Member

    And, just in case anyone think that (ss7-dependent) two-factor authentication implementations are a panacea, here’s one article on why they’re not, written in 2017 no less:

    https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

  3. Mike Borgen Guest

    IHG account illegally locked.

  4. Mike Borgen Guest

    My IHG account was hacked. They restored my points but now say my account has been locked.
    How can we start a class action lawsuit against them?

  5. Koldinkanada Guest

    The 4 pin password is as everyone said a joke in today's cyber security world of anti-hacking. I read some place that a combination of caps and numbers takes 300 years to crack vs a few hours for a 4 pin password. (I could be wrong about the 300 years but it is very very long).
    IHG could easily change it. Other hotel chains have done so.

  6. Ken Guest

    @EVR you must be stupid. Award wallet lets you store your pw on your computer, but they still see it, it's being used on their website and servers. It's up to you, if you like to be risky, and roll the dice. There's no guarantee that there won't be a breach on their servers. Anytime you leave allow access whether local or directly on third party servers, you are setting yourself up for failure. and...

    @EVR you must be stupid. Award wallet lets you store your pw on your computer, but they still see it, it's being used on their website and servers. It's up to you, if you like to be risky, and roll the dice. There's no guarantee that there won't be a breach on their servers. Anytime you leave allow access whether local or directly on third party servers, you are setting yourself up for failure. and when your account gets hacked, you have no one else to blame but yourself.

  7. EVR Guest

    Lol. The TYPOS. Sorry all. Forgot to check for autocorrect issues

  8. EVR Guest

    @ken - Sorry. Your post is misleadinf as tour information is only half right. Award wallet allows you to store your passwords on your computer or with them. Obviously and for the reasons you mentioned, keeping them on your own computer is the only choice.

  9. Emirates4Ever Guest

    @Frank - that's because you are not a famous travel blogger who can thrash a company's reputation lol

  10. Ken Guest

    Award Wallet was the primary source of how my hotel pts were hacked!!!!!! don't blindly trust a 3rd party vendor to keep track of your pts. trust me, you are at their mercy if something goes wrong or if their website gets hacked.

  11. Janet Guest

    Well, one up for World of Hyatt. Whenever you redeem points they immediately send you an email of the activity on your account.

  12. Henry Young Guest

    Plus there are stats out there on the most popular 4 digit PIN codes out there ...

  13. Henry Young Guest

    Seems quite possible to write a script that iterates through all 9999 PIN codes until hitting the correct guess. IHG is one of the LEAST secure accounts/sites anywhere on the web !!!

  14. Rick Guest

    Ya, 4-digit pin for a password and they take security seriously. Seriously??? With a 4-digit number for password security, I wonder how many seconds it takes to hack an account. Damn, even my bank has graduated to eight digits. C'mon IHG get with it!

  15. Neville Guest

    Are you going to contact Executive Office about the points you made about security?

  16. Chris W. Guest

    Good you have access again. But without a new IHG number you will be hacked again. Its just 9999 combinations and brute force is easy.

    My old account was hacked 3x before I got a new one each time 900k-1M points gone. They use it to buy gift cards flights but amso hotels (i had new bookings i didnt do).

    My new account is OK now only I get newbie accelerate offers. But...

    Good you have access again. But without a new IHG number you will be hacked again. Its just 9999 combinations and brute force is easy.

    My old account was hacked 3x before I got a new one each time 900k-1M points gone. They use it to buy gift cards flights but amso hotels (i had new bookings i didnt do).

    My new account is OK now only I get newbie accelerate offers. But was compesated more as just 15k points.

    Mu trust in IHG there. Not the safety though. Hope they change it soon.

  17. Brett Guest

    Question.... who is stealing these points? It seems that staying in a hotel, where ID is required, isn’t the best idea. Are people using fake IDs? Do they not fear being caught?

    Or is there a more elaborate scam going on...maybe a shady OTA or travel agent taking advance payment for a room and booking it with stolen points?

  18. Gounadave Guest

    Inside Job ? Like I gave someone access to my account to scam the hotel company ? That's laughable . I have no Idea where the redeemed points were spent and I'm sure Hilton know that . ..........Or you mean employees inside the hotel companies ? I really doubt that too .With the pathetic security requirements to most rewards programs its no surprise its a soft target for cyber hackers . Its up to the hotel chains to up their security systems .

  19. Steve Guest

    My guess is these are all inside jobs.

  20. Gounadave Guest

    My Hilton Account was hacked at the beginning of April . I had a new account within a couple of hours and 80K goodwill points on top of the lost points .

    IHG are unbelievably stingy in all aspects of their rewards programme recently to the point where I feel that they think that they are doing you a favour by letting you be a member .
    I have shifted my business away accordingly .

  21. Alan Guest

    Totally agree with Robert F - why are they harping on about 2FA (which I may say I love!) for your email when they won't even let you have a proper account password!

  22. Robert F Guest

    > We do encourage you to ensure your IHG account is linked to a secure email address with 2
    > factor security authentication enabled, and that the security of your PIN is safeguarded.

    What's interesting here is that they're delegating security to the user. They're promoting the importance and 2FA, but they don't actually implement it. Instead, they're just suggesting that you get an email provider that does 2FA.

    This would be like...

    > We do encourage you to ensure your IHG account is linked to a secure email address with 2
    > factor security authentication enabled, and that the security of your PIN is safeguarded.

    What's interesting here is that they're delegating security to the user. They're promoting the importance and 2FA, but they don't actually implement it. Instead, they're just suggesting that you get an email provider that does 2FA.

    This would be like buying a Camry without seat belts, having a terrible accident, and then being told by Toyota that you should really consider buying seat belts because they'll make for a much safer ride.

  23. nikdro New Member

    Wow, much better experience then I had with Hilton. Hilton took weeks to resolve and eventually issued me a new account number completely and never offered any type of point compensation.

  24. Mo Guest

    I guess its Mr Lawyer frim executive office hagaha 15000 points,thats ridiculous,i would have declined them.
    Even being Royal ambassador spire elite,IHG is a crap of crap.

  25. Roger Guest

    Gotta love the american pc propaganda marketing corporate jibber jabber. Help Mr. Schalpig out--this is BS!!!

  26. mike murphy Guest

    How long after paying off the card do the points show up?

    I paid it off 2 weeks ago, and still shows no points balance ?

  27. B Guest

    Any hotel account with a large balance I have fake hotel bookings to tie up the points. It's an added defense, and in case someone gets in first they won't see many points, second if they do cancel the bookings maybe I'll get an email.

  28. Frank Guest

    I got hacked for 425k points ! Took a month to fix ! They said 5 days and I got no gesture .

  29. nonamelive New Member

    How could possibly IHG take the security of their members very seriously while they only have 4-digit pin?

  30. k.m. Guest

    " IHG takes the security of our members very seriously"

    ....uses PIN codes as passwords.

    what a bunch of unbelievable marketing BS.

    also just curious, has anyone had an IHG card that has been hacked more than once? getting hacked 3 times and getting 15,000 points each time for the "frustration caused by the delayed response in gaining access to your account" is like signing up for a credit card to get the bonus. its...

    " IHG takes the security of our members very seriously"

    ....uses PIN codes as passwords.

    what a bunch of unbelievable marketing BS.

    also just curious, has anyone had an IHG card that has been hacked more than once? getting hacked 3 times and getting 15,000 points each time for the "frustration caused by the delayed response in gaining access to your account" is like signing up for a credit card to get the bonus. its rather dumb but unfortunately i can see this happening to IHG account holders.

  31. Andrew Guest

    The best way to protect yourself in these instances is to either burn your points immediately or simply stop using IHG. Their crap security is one of the reasons that I won't use them. Also, Holiday Inn sucks so there's that.

  32. LDS Guest

    This happened to me with HHonors last year. Someone got into my account and changed my email address - no email notification came to me (I believe they've since beefed up these security features). Then someone transferred 75,000 points out.

    I logged in about 30 days later when I couldn't log into my account and noticed. I called in and they immediately noted that there was a new email address and that a large...

    This happened to me with HHonors last year. Someone got into my account and changed my email address - no email notification came to me (I believe they've since beefed up these security features). Then someone transferred 75,000 points out.

    I logged in about 30 days later when I couldn't log into my account and noticed. I called in and they immediately noted that there was a new email address and that a large points transfer had occurred. I was very impressed with how quickly they acted - within 48 hours the old account was closed, new account opened, and points reinstated. This is a great reminder to regularly check all of your awards accounts.

Featured Comments Most helpful comments ( as chosen by the OMAAT community ).

The comments on this page have not been provided, reviewed, approved or otherwise endorsed by any advertiser, and it is not an advertiser's responsibility to ensure posts and/or questions are answered.

alex Guest

Why not add 2FA? Password alone is not secure enough.

0
Keyser Soze New Member

And, just in case anyone think that (ss7-dependent) two-factor authentication implementations are a panacea, here’s one article on why they’re not, written in 2017 no less: https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

0
Mike Borgen Guest

IHG account illegally locked.

0
Meet Andrew, OMAAT Contributor
900,000 Miles Traveled

36,075 Words Written

65 Posts Published

Keep Exploring OMAAT