This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

One of the world’s largest hotel brands has a problem with hacking. Over the last few weeks, TPG has received multiple reports from readers that their IHG Rewards Club accounts had been hacked. According to those reports, tens of thousands and sometimes almost a million points have been stolen and used for fraudulent hotel bookings, and readers sometimes have had trouble getting their points reinstated. Here’s what happened, and what you can do to make your account more secure.

Accounts Hacked

TPG has received multiple reports from readers (in addition to seeing others across the web) about their IHG accounts being hacked and their points being lost or stolen due to these intrusions. And this isn’t the first time IHG has had cybersecurity issues. In April IHG said that it had been hit by a massive credit card data breach in 2016.

Reader reports of hacks usually involve them checking their IHG account and finding that their points are missing. Some readers have received notifications of activity, while others only found out once they logged into their account.

Most readers don’t even receive notifications when a hotel is booked through their account, like TPG reader Louis L. Gregory, who lost almost one million points through a hack:

Gregory said IHG didn’t recognize that the bookings were fraudulent and that he’s now locked out of his own account because of the breach.

Another TPG reader, Drew B., said that his account was hacked and the intruders booked two 50,000 point nights at the Intercontinental Tokyo. The only way he was notified of the fraud was by a notification received from IHG that he received a 600 point bonus for the stay — although Drew B. was never notified about the booking of the hotel itself.

According to posts in a Flyertalk thread called “Account Hacked, Points Spent,” many people had also their IHG Rewards account hacked. User Triger02 said on Flyertalk,

“Received an email from IHG stating that my account information had been updated about 30 minutes ago. I immediately logged in to find out 260,000 points were redeemed, leaving me with 2XXX points. My address had been changed to a Japanese one, and my email address was also changed.”

Multiple members of the TPG Lounge also commented saying they had points stolen, including Adriene Larson, who said “they stole 210k points from me as an ‘order’ transaction and updated my account to a Tokyo address.”

“Someone booked (an) overseas Asian hotel with my points AND my free night! The request for feedback from my ‘stay’ was my only tip-off this had happened,” added Anita Harmon in the Lounge.

Lack of Strong Security

The most likely reason for the hacks is the lack of strong password protection. IHG only requires a four-digit PIN and an email address to access an account.

Alexi Vereschaga, co-founder of AwardWallet, said that the four-digit pin system isn’t very strong, and other cyber-security experts agree that it’s easier to break into accounts with such a limited number of passwords.

“Basically my thought on this is that if your password is a four-digit PIN then you have 10,000 guesses to find the right one, so all you really need to know is the IHG account number,” said Vereschaga. Vereschaga joked that an entire database of debit card PIN codes has been leaked, and looks something like this.

“A 4-digit pin is absolutely not good enough today. An attacker can easily just run through a large list of know email addresses, try to log in with them and give an obvious number like ’1234’ or ’9999’ as the PIN,” said Mikko Hypponen, a cybersecurity expert and chief research officer at F-Secure Corporation. Hypponen added that when given the choice of choosing a four-digit pin about 20% of people choose their birth year.

“Just this trivial attack might give access to a large amount of accounts,” added Hypponen.

A service like AwardWallet can help notify you if your points go missing, since IHG is inconsistent with this. AwardWallet will send you a push notification as soon as it detects any changes in your IHG Account point balance.

Brian Krebs, founder of the blog Krebs on Security said that IHG should move away from the four-digit pin as a password, and implement CAPTCHA protections to combat automated PIN-guessing attacks.

“My guess is attackers have figured out a way to brute-force the PINs, knowing the user’s email address,” said Krebs.

Difficulty Reinstating Points

In most cases, it seems that IHG eventually returned the stolen points back in to the readers accounts, but not always. It took TPG reader Tom Brittnacher dealing with a frozen account for days before he got his points back. Six days after not receiving a followup from IHG, he called back and they refunded the 50,000 points that had been used at the Hotel Indigo in New York.

In other cases, people are still waiting, like Louis L. Gregory, who has Spire Elite status with IHG. He’s had to deal with 30-minute holds and now a frozen IHG Rewards account. It remains to be seen if he will get his points back.

Harmon said that she got her points back, but had to change the email address associated with her account, while Larson had her points reinstated, but under an entirely new account.

Secure Your Account

While far from hack-proof, changing your pin often can help. It can sometimes be hard to tell when an account has been hacked so make sure you check your IHG rewards account often. You can also sign up for a service like AwardWallet that will help notify you if there’s been a change in your point balance.

When asked about the security breaches and fraudulent activity, an IHG spokesperson said:

“IHG takes the security of member information very seriously, and we are continuously monitoring our systems. We also encourage members to periodically change their log in details to protect the security of their accounts.

Our systems and security do not show any concentrated hacking activity in recent days. However, if IHG Rewards Club members suspect improper activity on their accounts, they are encouraged to contact IHG Rewards Club member services at 1-800-334-5194 or global.fraud.protection@ihg.com.”

Featured image by Andrew Brookes / Getty Images.

The best beginner points and miles card out there.
Chase Sapphire Preferred® Card

With great travel benefits, 2x points on travel & dining and a 50,000 point sign up bonus, the Chase Sapphire Preferred is a great card for those looking to get into the points and miles game. Here are the top 5 reasons it should be in your wallet, or read our definitive review for more details.

Apply Now
More Things to Know
  • Earn 50,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $625 toward travel when you redeem through Chase Ultimate Rewards®
  • 2X points on travel and dining at restaurants worldwide & 1 point per dollar spent on all other purchases.
  • Earn 5,000 bonus points after you add the first authorized user and make a purchase in the first 3 months from account opening
  • No foreign transaction fees
  • 1:1 point transfer to leading airline and hotel loyalty programs
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards. For example, 50,000 points are worth $625 toward travel
  • No blackout dates or travel restrictions - as long as there's a seat on the flight, you can book it through Chase Ultimate Rewards
Intro APR on Purchases
N/A
Regular APR
17.24% - 24.24% Variable
Annual Fee
$0 Intro for the First Year, then $95
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent Credit

Editorial Disclaimer: Opinions expressed here are author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.