Posts Tagged: Hilton Honors

May 15

Starbucks Hacked? No, But You Might Be

When it comes to reporting on breaches involving customer accounts at major brands, the news media overall deserves an F-minus. Hardly a week goes by when I don’t hear from readers about a breathless story proclaiming that yet another household brand name company has been hacked. Upon closer inspection, the stories usually are based on little more than anecdotal evidence from customers who had their online loyalty or points accounts hijacked and then drained of value.

javamessThe latest example of this came last week from a story that was responsibly reported by Bob Sullivan, a former MSNBC journalist who’s since struck out on his own. Sullivan spoke with multiple consumers who’d seen their Starbucks card balances emptied and then topped up again.

Those customers had all chosen to tie their debit accounts to their Starbucks cards and mobile phones. Sullivan allowed in his story one logical explanation for the activity: These consumers had re-used their Starbucks account password at another site that got hacked, and attackers simply tried those account credentials en masse at other popular sites — knowing that a fair number of consumers use the same email address and password across multiple sites.

Following up on Sullivan’s story, the media pounced, suggesting that Starbucks had been compromised. In a written statement, Starbucks denied the unauthorized activity was the result of a hack or intrusion into its servers or mobile applications.

“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account,” the company wrote. “This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

In most cases, a flurry of fraudulent account activity targeting a major brand is preceded by postings on noob-friendly hacker forums about large numbers of compromised accounts for sale, and the publication of teachable “methods” for extracting value from said hacked accounts.


Unsurprisingly, we saw large numbers of compromised Starbucks accounts for sale in the days leading up to the initial story about the Starbucks fraud, as well as the usual “methods” explaining to clueless ne’er-do-wells about how to perpetrate fraud against hacked accounts. Here’s another noob-friendly thread explaining how to cash out compromised Subway accounts; how long until we read media reports shouting that Subway has been hacked? Continue reading →

Mar 15

Hilton Honors Flaw Exposed All Accounts

Hospitality giant Hilton Hotels & Resorts recently started offering Hilton HHonors Awards members 1,000 free awards points to those who agreed to change their passwords for the online service prior to April 1, 2015, when the company said the change would become mandatory. Ironically, that same campaign led to the discovery of a simple yet powerful flaw in the site that let anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.

Until it was notified by KrebsOnSecurity about a dangerous flaw in its site, Hilton was offering 1,000 points to customers who changed their passwords before April 1, 2015.

Until it was notified by KrebsOnSecurity about a dangerous flaw in its site, Hilton was offering 1,000 points to customers who changed their passwords before April 1, 2015.

The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.

I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.

“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.” Continue reading →