Miles and points are great and all, but only if someone doesn’t steal them from you. I have a bunch of IHG Rewards points, mainly from my signup bonus for the IHG® Rewards Premier Credit Card and from a really lucrative Accelerate offer last year.
The other day I tried to log into my account. I haven’t booked any stays with IHG for about 8 months, and I was hoping to redeem some points for an upcoming trip.
IHG’s website isn’t the best in terms of security — rather than a strong password, users sign in with their account number or email address and a 4-digit PIN.
I tried logging in using my credentials, and I was certain they were correct, but the system wouldn’t accept them. IHG has an online chat feature, so I gave that a try. They reset my PIN and sent me an email — but the new PIN didn’t work either! The online chat agent logged off before I had the chance to tell him that it didn’t work (literally he said “Is there anything else I can help you with?” and then logged off five seconds later).
Finally I called IHG, strongly suspecting that something was wrong, and explained the situation to them. Once again they insisted on sending me a new PIN, and wouldn’t wait on the phone with me while the email came through. This time the PIN worked and I was able to get into my account – but 87,000 of my roughly 100,000 points were missing!
The account activity showed two redemptions made in February, which I certainly did not make or authorize.
The person on the phone said that the account holder’s address and email address were changed a few months ago (despite the fact that the previous agent I’d spoken to verified all my contact info and said it matched their records).
Unfortunately I couldn’t see what the redemptions were used for, but I am really curious. Was this hacker spending a week at a Candlewood Suites in Nebraska, or did they opt for something a little more exotic like a Kimpton property?
Anyway, the agent told me they would investigate and that my account would be temporarily suspended and they would call me in 3 to 5 days with an update. Sure enough, when I tried to log in today I received this message:
I’ll let you know what happens –- I guess my lesson here is that I should’ve been periodically changing that PIN, or keeping a closer eye on my account balances.
Has anyone else ever had a points account hacked (IHG or otherwise)? Were you happy with the resolution?