lorenmd
TUG Member
- Joined
- Sep 30, 2010
- Messages
- 387
- Reaction score
- 86
- Location
- seattle
- Dec 30, 2021
- #1
i know it's not vistana but they are linked. bonvoy security wasn't good enough to prevent hackers. they got my account information, requested to change my email address, then requested to change my cell phone number, then changed my password, and from there, they used up all my points making hotel reservations. all they had to do was add their name on as my guest. the first couple had a nice 200k stay at the westin, but then i happen to check my account through the app on my phone which kept me logged in, and i saw that i had two hotel check ins scheduled for today. i sent a chat immediately and called bonvoy. they were able to see that the changes happened dec 24. two couples had already checked in. i got their phone number and email. then we were able to change everything back to my name. then they locked the couples out of their rooms and called the police. somehow one couple was able to get housekeeping to let them in, they grabbed their stuff and left. the other couple in seattle was confronted. needless to say it is quite concerning that bonvoy did not have some security in place to notify the email on file for the last 20 years, that a request had been made to change. the messed up. all my points will be reinstated, but they still messed up. I also had my amex card as a guarantee so amex stepped in too. need to check vistana to make sure they didn't screw that account up but a week long stay is probably not something they want to try and hack. Happy New Year everyone. travel will resume someday
Ken555
TUG Review Crew: Veteran
TUG Member
- Joined
- Jun 7, 2005
- Messages
- 14,781
- Reaction score
- 5,869
- Location
- Los Angeles
- Resorts Owned
- Westin Kierland
Sheraton Desert Oasis
- Dec 30, 2021
- #2
That sucks.
Sent from my iPad using Tapatalk
davidvel
TUG Member
- Joined
- May 9, 2008
- Messages
- 8,052
- Reaction score
- 5,037
- Location
- No. Cty. San Diego
- Resorts Owned
- Marriott Shadow Ridge (Villages)
Carlsbad Inn
- Dec 30, 2021
- #3
Good they responded quickly and tracked them down. Seems like a stupid hack as its not hard to find them in your room!!
Not sure what you mean by "Bonvoy security wasn't good enough to prevent hackers." I doubt they hacked Bonvoy. You said one couple stayed in Seattle, were the others as well? Sounds like an "inside" job, like someone in Seattle. Maybe someone you know?
lorenmd
TUG Member
- Joined
- Sep 30, 2010
- Messages
- 387
- Reaction score
- 86
- Location
- seattle
- Dec 30, 2021
- #4
davidvel said:
Good they responded quickly and tracked them down. Seems like a stupid hack as its not hard to find them in your room!!
Not sure what you mean by "Bonvoy security wasn't good enough to prevent hackers." I doubt they hacked Bonvoy. You said one couple stayed in Seattle, were the others as well? Sounds like an "inside" job, like someone in Seattle. Maybe someone you know?
no the other was in DC. they saw places i had stayed and sold my points to people who wanted to stay there. not an inside job. the person who answered the phone had a foreign accent. yes they hacked bonvoy. bonvoy told me it was happening to them across the country. loyalty members are not really traveling so we aren't noticing our accounts. i just happened to need a hotel at the airport tonight or i would never had spotted the two check ins from today
Born2Travel
TUG Member
- Joined
- Jun 7, 2005
- Messages
- 813
- Reaction score
- 74
- Resorts Owned
- Kuleana, Sands of Kahana, Marriott Newport Coast Villas, Marriott Grand Chateau, Worldmark, Foxrun
- Dec 30, 2021
- #5
They almost got my Chase Rewards Miles but I got notification of email, phone and address changes on my account and called right away. They had already started stealing them but Chase was able to stop it and reverse the transfer. My address was changed to somewhere in Texas but the email ended with .us making me think they are not in the U.S. They hit several accounts including my Bonvoy account but either Chase restored them or the account was locked before they got them.
R
regatta333
TUG Review Crew: Expert
TUG Member
- Joined
- Oct 27, 2005
- Messages
- 903
- Reaction score
- 121
- Location
- Maryland
- Resorts Owned
- Wyndham Long Wharf, Wyndham points, Vistana Westin Kierland
- Dec 30, 2021
- #6
I use awardwallet to track all my loyalty points. It updates the accounts and keeps track of when all the points expire. It would have kicked out an error message about an inability to update the account because of an incorrect password.
dioxide45
TUG Review Crew: Expert
TUG Lifetime Member
- Joined
- May 20, 2006
- Messages
- 49,375
- Reaction score
- 20,752
- Location
- NE Florida
- Resorts Owned
- Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
- Dec 30, 2021
- #7
lorenmd said:
needless to say it is quite concerning that bonvoy did not have some security in place to notify the email on file for the last 20 years
I know some websites will send an email to the previous email address when the email address is updated. Did that not happen?
Question about your password. Did you use the password with any other websites or even email accounts. I had this happen a few years ago with our Yahoo email and MyPoints. Yahoo has been compromised more times than anyone can count. I was using the same password for my email that I was using for MyPoints. When they got access to the Yahoo email account, they could easily see that I was getting emails from MyPoints. So they then just tried my email password in MyPoints and it worked. They burnt through my MyPoint by redeeming for Amazon gift cards. Since they had access to the email, they redeemed those codes on Amazon right away. My lesson learned here is to never use the same password for different accounts. You can use password keeper software to generate random complex passwords for each website and then have the program remember those. Google Chrome has something similar if you work entirely in the Chrome ecosystem.
dioxide45
TUG Review Crew: Expert
TUG Lifetime Member
- Joined
- May 20, 2006
- Messages
- 49,375
- Reaction score
- 20,752
- Location
- NE Florida
- Resorts Owned
- Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
- Dec 30, 2021
- #8
What could have happened here was that whoever hacked your account and made the reservations turned around and rented them for cash. So the person actually staying in the room wasn't necessarily the hacker and could also be a victim.
PeterS
TUG Member
- Joined
- Jun 6, 2005
- Messages
- 280
- Reaction score
- 57
- Dec 30, 2021
- #9
Born2Travel said:
<clip>My address was changed to somewhere in Texas but the email ended with .us making me think they are not in the U.S. <clip>
Actually it should show they were in the US...
Per wikipedia:
.us is the Internet country code top-level domain (ccTLD) for the United States. It was established in early 1985. Registrants of .us domains must be U.S. citizens, residents, or organizations, or a foreign entity with a presence in the United States.
lorenmd
TUG Member
- Joined
- Sep 30, 2010
- Messages
- 387
- Reaction score
- 86
- Location
- seattle
- Dec 30, 2021
- #10
dioxide45 said:
I know some websites will send an email to the previous email address when the email address is updated. Did that not happen?
Question about your password. Did you use the password with any other websites or even email accounts. I had this happen a few years ago with our Yahoo email and MyPoints. Yahoo has been compromised more times than anyone can count. I was using the same password for my email that I was using for MyPoints. When they got access to the Yahoo email account, they could easily see that I was getting emails from MyPoints. So they then just tried my email password in MyPoints and it worked. They burnt through my MyPoint by redeeming for Amazon gift cards. Since they had access to the email, they redeemed those codes on Amazon right away. My lesson learned here is to never use the same password for different accounts. You can use password keeper software to generate random complex passwords for each website and then have the program remember those. Google Chrome has something similar if you work entirely in the Chrome ecosystem.
that was my biggest question. why did you not send an email to the oiginal email on file saying your account email has been changed. if you did this then ignore. if you did not then pleas econtact us. that is the standard, and when instacart was hacked and then bonvoy i never received those emails. the chat function at the hotel desks works very well though. i sent chat that it was a fraudulent check in while i was on a long hold to talk to bonvoy and then the front desk knew something was happening. they did need to wait to hear from bonvoy before tehy locked the guests out. the guests probably bought the points and one was instructed to say he was my son in law. nope
lorenmd
TUG Member
- Joined
- Sep 30, 2010
- Messages
- 387
- Reaction score
- 86
- Location
- seattle
- Dec 30, 2021
- #11
dioxide45 said:
What could have happened here was that whoever hacked your account and made the reservations turned around and rented them for cash. So the person actually staying in the room wasn't necessarily the hacker and could also be a victim.
yes i think that's what goes on but they were instructed to say they were my son in law so they knew it was illegal activity
Born2Travel
TUG Member
- Joined
- Jun 7, 2005
- Messages
- 813
- Reaction score
- 74
- Resorts Owned
- Kuleana, Sands of Kahana, Marriott Newport Coast Villas, Marriott Grand Chateau, Worldmark, Foxrun
- Dec 31, 2021
- #12
lorenmd said:
that was my biggest question. why did you not send an email to the oiginal email on file saying your account email has been changed. if you did this then ignore. if you did not then pleas econtact us. that is the standard, and when instacart was hacked and then bonvoy i never received those emails. the chat function at the hotel desks works very well though. i sent chat that it was a fraudulent check in while i was on a long hold to talk to bonvoy and then the front desk knew something was happening. they did need to wait to hear from bonvoy before tehy locked the guests out. the guests probably bought the points and one was instructed to say he was my son in law. nope
That is how I was notified, but I think maybe you need to sign up for those notifications in your account.
You must log in or register to reply here.