SPG account information leakage

Discussion in 'Travel Security' started by viguera, Jan 23, 2015.  |  Print Topic

  1. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    FYI,

    There are reports of compromised accounts on SPG according to Krebs. This was done with the same tool that was used to automate the credential checking on Hilton's website, which was leaked out to the seedier parts of the internet not that long ago. I would expect that it won't be long before other "less than secure" loyalty programs are attacked as well, so it might be a good idea to keep an eye on ALL your accounts for suspicious activity.

    http://krebsonsecurity.com/2015/01/password-re-use-fuels-starwood-fraud-spike/
     
  2. Newscience

    Newscience Gold Member

    Messages:
    14,694
    Likes Received:
    45,079
    Status Points:
    16,475
    Thanks for posting this, viguera!
     
    Counsellor, MX and uggboy like this.
  3. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,503
    Likes Received:
    20,197
    Status Points:
    16,520
    SPG sent out a warning email (at least to me) today.
     
    Newscience, Sammich and canucklehead like this.
  4. Counsellor
    Original Member

    Counsellor Gold Member

    Messages:
    1,221
    Likes Received:
    1,619
    Status Points:
    1,120
    Hmmm. I didn't get one.
     
    Newscience likes this.
  5. canucklehead
    Original Member

    canucklehead Gold Member

    Messages:
    5,895
    Likes Received:
    22,059
    Status Points:
    11,070
    I received one today also. No indication of who had their accounts hacked.
     
    Newscience likes this.
  6. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,503
    Likes Received:
    20,197
    Status Points:
    16,520
    I am fairly certain that I didn't receive it because my account was hacked. Or at risk. The password still works and it is completely random and not used at any other site. Even I don't know it (1Password does).
     
    Newscience likes this.
  7. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,503
    Likes Received:
    20,197
    Status Points:
    16,520
    Here is their email:

    CHANGE YOUR PASSWORD TODAY TO HELP PROTECT YOUR INFORMATION.

    SPG® has many layers of account security in place to keep your Starpoints® balance and other profile information safe. Over the past week, we have been actively investigating potential unauthorized access to a low number of SPG accounts. We suspect this activity is due to large breaches at other companies (not SPG) where user credentials are stolen and then used for unauthorized access to other accounts, such as SPG accounts. In order to further protect your account and ensure data security we recommend you update your SPG password today.

    Account security best practices:

    1. Use different log-in credentials on spg.com than you use on other websites.

    2. Check your account often and look for emails that notify you about account changes.

    3. Change your password regularly.

    4. Promptly report any suspicious activity to us.

    How to create a more secure password:

    • Use a complex password that includes a mix of at least six letters, numbers, and symbols.

    • Create a unique username rather than using your email address as your username.

    How to update your SPG password:

    1. Log in at spg.com and click on your name.

    2. Select "My Profile" under "Manage My Account".

    3. Choose "Edit" in the "Username and Password" section.

    4. Create a new password that contains six or more characters, including at least one letter, one number and one symbol.

    5. Click "Save Changes" when complete.
     
    Newscience likes this.
  8. Sammich

    Sammich Gold Member

    Messages:
    5,644
    Likes Received:
    22,439
    Status Points:
    11,025
    Got one too. But then again I just changed mine a few days ago.
     
    Newscience likes this.
  9. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,503
    Likes Received:
    20,197
    Status Points:
    16,520
    I don't change my unique and strong passwords unless the system forces me to. Little benefit, if any.
     
    Newscience, Counsellor and Sammich like this.
  10. Counsellor
    Original Member

    Counsellor Gold Member

    Messages:
    1,221
    Likes Received:
    1,619
    Status Points:
    1,120
    It drives me nuts when a site insists on using your e-mail address as your username. Sure, you're not going to forget it, but it's right out there for anyone to see on any e-mail sent from or to you.

    And one of the biggest abusers is a major ISP!
     
    Newscience likes this.

Share This Page