UGH: My IHG Account Was Hacked

Update: This offer for the IHG® Rewards Club Premier Credit Card has expired. Learn more about the current offers here.


In the interest of full disclosure, One Mile At A Time earns a referral bonus for anyone that’s approved through some of the below links. These are the best publicly available offers that we have found for each card. Please check out our advertiser policy for further details about the partners we work with. Thanks for your support!

Miles and points are great and all, but only if someone doesn’t steal them from you. I have a bunch of IHG Rewards points, mainly from my signup bonus for the IHG® Rewards Club Premier Credit Card and from a really lucrative Accelerate offer last year.

The other day I tried to log into my account. I haven’t booked any stays with IHG for about 8 months, and I was hoping to redeem some points for an upcoming trip.

IHG’s website isn’t the best in terms of security — rather than a strong password, users sign in with their account number or email address and a 4-digit PIN.

I tried logging in using my credentials, and I was certain they were correct, but the system wouldn’t accept them. IHG has an online chat feature, so I gave that a try. They reset my PIN and sent me an email — but the new PIN didn’t work either! The online chat agent logged off before I had the chance to tell him that it didn’t work (literally he said “Is there anything else I can help you with?” and then logged off five seconds later).

Finally I called IHG, strongly suspecting that something was wrong, and explained the situation to them. Once again they insisted on sending me a new PIN, and wouldn’t wait on the phone with me while the email came through. This time the PIN worked and I was able to get into my account – but 87,000 of my roughly 100,000 points were missing!

The account activity showed two redemptions made in February, which I certainly did not make or authorize.

The person on the phone said that the account holder’s address and email address were changed a few months ago (despite the fact that the previous agent I’d spoken to verified all my contact info and said it matched their records).

Here are the fraudulent redemptions. I hope the toiletries gave him rashes and his request for 2 pm checkout was denied!

Unfortunately I couldn’t see what the redemptions were used for, but I am really curious. Was this hacker spending a week at a Candlewood Suites in Nebraska, or did they opt for something a little more exotic like a Kimpton property?

Anyway, the agent told me they would investigate and that my account would be temporarily suspended and they would call me in 3 to 5 days with an update. Sure enough, when I tried to log in today I received this message:

I’ll let you know what happens –- I guess my lesson here is that I should’ve been periodically changing that PIN, or keeping a closer eye on my account balances.

Has anyone else ever had a points account hacked (IHG or otherwise)? Were you happy with the resolution?

Regarding Comments: The comments on this page have not been provided, reviewed, approved or otherwise endorsed by any advertiser, and it is not an advertiser's responsibility to ensure posts and/or questions are answered.

Comments

  1. My JetBlue account was hacked recently (someone turned on family sharing and moved the accounts to a secondary account and made a booking) but I caught it pretty early on (next day or so). The agent’s were great and they reinstated the points immediately.

  2. They got over 400k ihg points from my account last year ! Took me a month to get them back

  3. You’re not alone. Mine was emptied in January. Had to get a new account set up which was easy enough, however none of my previous activity was transferred across.
    Strangely it happened after I did some searches on their site at one of their Spanish hotels which were looking extremely cheap on points redemptions.

    I had just under 100K points taken, and they were redeemed for Argos gift cards. Fools!

  4. As a Nebraska native, I can assure you no one wants to spend a week in Candlewood Suites here!

  5. I had a similar situation with IHG..mine is also hacked..Lucky for me they reimbursed the missing points and advised me to be vigilant and often monitor my account as well as change my PIN from time to time..
    @Andrew just be aware in the future..it is a world terrible outlside..sometimes you get scamed like @Lucky or robbed like @James..

  6. It’s not like IHG never does anything with their site. They’ve integrated in Kimpton, refreshed the visual design, etc. You’d think the cost of replacing points for people all the time would justify some work on their account authentication system. Seems like an unusually concrete ROI…

  7. Mine was also hacked. Their 4 digit pin is really negligible from a security point of view. Their whole security features are non existent, don’t be surprised if it happens again! They also don’t have a block out for multiple login attempts, as long as they have an email address, run a program to find your pin at 4 to the power of 4!

  8. It’s happened to me TWICE!!
    It’s about a month long process to get them to put the points back.
    And you will talk/email with about 50 different people during the process, re-explaining each time. Tremendously frustrating.

  9. My IHG account was hacked as well…last Dec. Someone changed the registered email address, then points were redeemed. The initial response from customer service was slow, but once they understood what happened, they immediately restored the points back fortunately.

  10. I’ve had my Hilton and Thank you accounts hacked. In both cases my points were redeemed for gift cards and in both cases the points were reinstated to my account within a couple of days.

  11. It’s not a matter of changing your PIN frequently, the problem is that a 4-digit PIN only has 10,000 possible combinations (versus a million for a 6-digit PIN).

    There is software out there (for free!) that a bad guy can run that simply trys every combination until it unlocks.

    The 4-digit PIN wouldn’t be as bad if there was a lock-out feature with email alerts.

    But seriously, folks, what do you expect from the IHG crew? These are the same people that lied to us about a “free night” credit card benefit and then yanked it — they aren’t the brightest bulbs.

  12. It makes you wonder: if they can hack these accounts so easily, does that mean stored CCs are also exposed/vulnerable. It has to be said that IHG has a more than slightly cavalier approach to security, relative to the others.

  13. Mine as wel. Used point to get iTunes vouchers! Told to open new account with new email and everything was transferred across from my old account. Whoever hacked my account was stupid enough to add all their personal details address email etc so I send them a nice email 😉

  14. The 4 digit numeric pin that IHG uses is absurd. I don’t know how any company can thing that’s okay, even 10 or 15 years ago. I’m honestly surprised that not everybody has been hacked. We really need to start a campaign to pressure IHG to change their security policy so that we can use longer passwords.

  15. The 4-digit associated with the IHG account is very archaic and easy to crack. IHG outta come up with new security protocol.

  16. That is quite absurd that they rely on a four digit PIN. Thanks for the heads-up; I changed mine as well. If it means anything, I strongly recommend a password manager. 1Password is amazing and once you commit to it, you’ll never want to go back to managing passwords on your own (and likely repeating passwords between accounts). Also turn on two-factor authentication wherever you can (1Password makes this easy as well). Now if an account is hacked, only that account is at risk, and not multiple others that have the same username and password.

  17. IHG is a complete joke. My account was hacked 3 years ago and 200,000 points werr used on Amazon. They told me I had a weak PIN. What???? The points were reinstated. Amazing that they insist on 4 digit PIN still today. Earn and burn those points asap.

  18. Sounds like IHG needs to change their security software its seems appalling all a hacker needs is 4 digit code and nothing else not even a name or something that is stupid IHG needs to change.

  19. Hopefully some IHG people are reading this! I had wrtiten a complain about the hacking of my account and the suggestion to strengthen the PIN code system..We are in 2018 and my complain was at least 8 years ago! We still do not have a decent system to rely on!

  20. Mine was hacked too. 100K points were redeemed for two nights in Tokyo. I caught the act during their stay. IHG called the hotel immediately and the hotel staff actually went to check the guest room. IHG also gave me the guest names. I did not follow up with IHG or the hotel what happened next.
    The 100K points were redeposited a week later. My account activities seemed to indicate the guests checked out as expected, and I got 10K points rebate as an IHG credit card holder.

  21. I had mine hacked an emptied as well. It was actually a fairly painless process and I came out ahead.

    I called the rep, told them that I had fraudulent redemptions. She said they would start an investigation and it would take a week to get my points back, but asked if I needed to make any award reservations soon (I didn’t, but I am still curious what would have happened if I did). I received my 100k+ points back into my accout at the one week mark, and was still awarded the 10% rebate on the fraudulent redemptions.

  22. 3 absurd things about the IHG program:
    only a 4 digit pin,
    no lock out for multiple log in attempts until the right pin is entered
    no email sent to email on record when that email is changed

    Any of those is bad, but all 3?

    But since they seem quite happy to replace hacked points, I’m thinking we should start hacking each others accounts. I’ll get your points, and you will get them back. You’ll get my points, and I will get them back. It will truly be “win/win”… 🙂

  23. My IHG account got hacked last year. Called up and IHG wasn’t very helpful at all. But since reservation was for still one week away within the cancellation period I just cancelled it myself and changed my PIN. Still crazy there’s no way on the IHG website to report your account being hacked. Asked agent to setup an investigation and I don’t think it ever happened.

    Luckily I get awardwallet notifications on my transactions and so i got an alert on the transaction and i was able to fix it right away. Thanks Awardwallet!

  24. Same here. Awardwallet weekly email showed the redemption and I immediately called IHG. They were well aware of the problem of hacking due to the pin only being four digits and immediately cancelled the redemption and put the points back into my account.

    I strongly recommend that anyone with significant IHG points subscribe to Awardwallet, set your email address in each of your airline/hotel/credit card accounts to your AW address and enable AW to send you weekly activity updates.

    Lucky you’re a smart guy. I’m surprised you don’t have this enabled on your account. Or do you but you didn’t see it in the email?

    AW if you read this I’d suggest an option so that whenever there is any redemption from an account you send a notification email. As it is right now a user has to sort through all the week’s activity and it is easy to miss a redemption among all the noise. A separate email, particularly one that flagged a large redemption and/or repeated redemptions would make give users a great deal of comfort knowing their account is being watched over.

  25. Changing your pin won’t matter. There’s only so many possibilities. A computer can try logging in with those different pins fairy quickly. Maybe we need to bomb their social media account like when they changed the free night award. Obviously they heard. This is a way bigger deal.

  26. Sadly companies aren’t held liable for their incompetence. As others mentioned a 4 digit pin is easy to crack especially without a limit on failed logins.

  27. This is absolutely one of the reasons you should consider getting something like awardwallet to track your accounts. That way it’s both super easy to check all your balances at once, and you get a handy email every week that alerts you to any balance changes. Obviously this won’t prevent someone from hacking an account with ridiculously obsolete security (a 4-digit numeric pin? Come on!), but you’ll know sooner — not when you’re about to make your own redemption.

  28. @ Robert Hanson – Not true that multiple incorrect login attempts at IHG’s web site don’t cause account lockouts. Members will be locked out after only a few tries and have to call customer service to reset their login information. It isn’t much to stop hackers but is a hassle for users who make a mistake when typing their PIN since there is no option to reset online using security questions.

  29. This is on IHG, a four-digit PIN is extremely easy to brute force or guess. As someone who takes online security seriously, this is something IHG could correct but choose not to. IHG please add a proper password system!

  30. My IHG account was hacked last year. They booked two nights at a hotel in Cartagena. It only took one phone call and I got the points back.

  31. Same thing with IHG happened to me in early January 2018. I caught it in time and they were able to cancel the redemption of points. I also read several blog posts around the same time about others with the same issue. I got my account and points back in roughly 1 week.

    IHG continues to use a bogus 4 digit PIN which is so easy to crack which is the root of the problem and apparently they don’t care to fix it.

  32. Yes I had that problem. Yes it was resolved satisfactorily— but only after about 5 calls and more than 30 days. They kept saying 3 to 5 days. Don’t believe it. Keep pestering them.
    Also they told me I had to change the email address that was associated with the account ugh. IHG really needs to get their act together.

  33. IHG deserves to lose money and customers over this hacking g issues. Why any smart company would allow someone to change email, addresses and a redemption without recognizing a hacking was ocurring. When I reported my hacking, IHG implied it was my fault, really?? With such weak security no wonder they continue to be vulnerable.

    I have not stayed at an Intercontinental since. With modern technology, you might ask why IHG is not wondering why an Ambassador hasn’t hasn’t been staying at their hotels.

  34. Mine was hacked in April. I realized it the same day and found out that the free night and points were used for 3 nights on Phuket at the same time I reported it. Beats me why they did not get hold of the person that stayed at the Holiday Inn.
    I had to change email/password 3 times(!) with different agents until I could use my account again. I got my points back but for some reason they could not reinstate my free night. I will have to contact customer service with a reference number once I decide to use it. I wonder through how many hoops I will have to jump then.

  35. Within the same week, my choice hotel points were drained to buy an amazon gift card and my free night from hotels.com was redeemed for a hotel. After much work and customer serve time, I was able to get back into my accounts and I saw personal information for the person who did it. I filed an online fraud claim against him. Who knows if he will get caught or not. But I did finally get my points back!

  36. I was hacked. Seems they are used to this, as one call had my points restored. Much easier than I expected.

  37. I’ve had it happen twice, about 400k points each time. It wasn’t that hard to get it restored, but it took a month. One time, though, I actually got extra points, the 10% bonus for having redeemed the points.

  38. American businesses continue to not even give information security a second thought, a fifth or sixth thought at best. Expect more breaches and hacking. Even so, only requiring a 4-digit PIN is ludicrous these days. Of course, should they implement serious security controls, then the same customers complaining about weak security will complain that the security process is too burdensome lol.

    Given that these companies have to in most cases bite the loss of a breach, you would think that investing in securing their systems would be worth it.

  39. I was also hacked and 2 nights were booked overseas. Customer service restored my points while on the phone (the reservation didn’t happen yet). I also set up a new account #. Now I log in to IHG regularly due to the poor security.

    BTW I’m an IHG cardholder and months later my free night did not post. I had to make multiple calls to IHG who worked with Chase to have it sent to the correct account number.

  40. That is a bummer, agree with all of the four digit comments above. I do use a points tracker like award wallet, which does at least notify me in a timely manner about account usage. Wouldn’t have stopped the issue but you’d have detected it 8 months earlier rather than getting the ugly surprise at the time you sought to redeem.

  41. (Detecting it would mean you’d have gotten an alert saying your account was not syncing)

  42. I had my Hilton account hacked about 3 years ago when someone redeemed 300,000 honors points on gift cards. Fortunately, Hilton was on it before I even knew about it. Their fraud section stopped the transaction, alerted me to what was happening, and within a few days everything was taken care of.

  43. Award wallet should’ve picked that up, right? Anyways, I check my IHG account every time I read one of these stories (about once a month). Shouldn’t have to but whatever. I suppose it doesn’t really matter how soon you catch the fraud unless you were planning on spending your points soon.

  44. I don’t understand how IHG are getting away with this 4 digit PIN absurdity. Here in the UK it’s a very clear breach of data protection regs which states that BY LAW

    “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

    https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

    Quite simply IHG are breaking the law. I strongly urge everyone to report them to the Information Commissioner

  45. A couple of years ago someone hacked my American Airlines account and stole a couple hundred thousand miles. They changed the email address on the account to theirs. American sends a notification to the prior email when the email address is changed, so to try to hide that the perp signed my email up for spam services – over the course of a couple of days I received over a thousand spam emails that weren’t caught by the filters on my account (a lot of them were legit emails, like things from newspapers that you can sign up for emails on different topics, so like eight emails from some random paper in Minnesota or the UK). Fortunately in going through and deleting all of the spam I saw the notification email from American. I contacted them immediately, they temporarily froze my account, and a couple days later restored all of the stolen miles. (Yes, I’ve changed the email and password on the account.) I don’t know what American did beyond that, but since I didn’t have any other information on the perp I couldn’t even file a police report.

Leave a Reply

Your email address will not be published. Required fields are marked *