This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

One of the world’s largest hotel brands has a problem with hacking. Over the last few weeks, TPG has received multiple reports from readers that their IHG Rewards Club accounts had been hacked. According to those reports, tens of thousands and sometimes almost a million points have been stolen and used for fraudulent hotel bookings, and readers sometimes have had trouble getting their points reinstated. Here’s what happened, and what you can do to make your account more secure.

Accounts Hacked

TPG has received multiple reports from readers (in addition to seeing others across the web) about their IHG accounts being hacked and their points being lost or stolen due to these intrusions. And this isn’t the first time IHG has had cybersecurity issues. In April IHG said that it had been hit by a massive credit card data breach in 2016.

Reader reports of hacks usually involve them checking their IHG account and finding that their points are missing. Some readers have received notifications of activity, while others only found out once they logged into their account.

Most readers don’t even receive notifications when a hotel is booked through their account, like TPG reader Louis L. Gregory, who lost almost one million points through a hack:

Gregory said IHG didn’t recognize that the bookings were fraudulent and that he’s now locked out of his own account because of the breach.

Another TPG reader, Drew B., said that his account was hacked and the intruders booked two 50,000 point nights at the Intercontinental Tokyo. The only way he was notified of the fraud was by a notification received from IHG that he received a 600 point bonus for the stay — although Drew B. was never notified about the booking of the hotel itself.

According to posts in a Flyertalk thread called “Account Hacked, Points Spent,” many people had also their IHG Rewards account hacked. User Triger02 said on Flyertalk,

“Received an email from IHG stating that my account information had been updated about 30 minutes ago. I immediately logged in to find out 260,000 points were redeemed, leaving me with 2XXX points. My address had been changed to a Japanese one, and my email address was also changed.”

Multiple members of the TPG Lounge also commented saying they had points stolen, including Adriene Larson, who said “they stole 210k points from me as an ‘order’ transaction and updated my account to a Tokyo address.”

“Someone booked (an) overseas Asian hotel with my points AND my free night! The request for feedback from my ‘stay’ was my only tip-off this had happened,” added Anita Harmon in the Lounge.

Lack of Strong Security

The most likely reason for the hacks is the lack of strong password protection. IHG only requires a four-digit PIN and an email address to access an account.

Alexi Vereschaga, co-founder of AwardWallet, said that the four-digit pin system isn’t very strong, and other cyber-security experts agree that it’s easier to break into accounts with such a limited number of passwords.

“Basically my thought on this is that if your password is a four-digit PIN then you have 10,000 guesses to find the right one, so all you really need to know is the IHG account number,” said Vereschaga. Vereschaga joked that an entire database of debit card PIN codes has been leaked, and looks something like this.

“A 4-digit pin is absolutely not good enough today. An attacker can easily just run through a large list of know email addresses, try to log in with them and give an obvious number like ’1234’ or ’9999’ as the PIN,” said Mikko Hypponen, a cybersecurity expert and chief research officer at F-Secure Corporation. Hypponen added that when given the choice of choosing a four-digit pin about 20% of people choose their birth year.

“Just this trivial attack might give access to a large amount of accounts,” added Hypponen.

A service like AwardWallet can help notify you if your points go missing, since IHG is inconsistent with this. AwardWallet will send you a push notification as soon as it detects any changes in your IHG Account point balance.

Brian Krebs, founder of the blog Krebs on Security said that IHG should move away from the four-digit pin as a password, and implement CAPTCHA protections to combat automated PIN-guessing attacks.

“My guess is attackers have figured out a way to brute-force the PINs, knowing the user’s email address,” said Krebs.

Difficulty Reinstating Points

In most cases, it seems that IHG eventually returned the stolen points back in to the readers accounts, but not always. It took TPG reader Tom Brittnacher dealing with a frozen account for days before he got his points back. Six days after not receiving a followup from IHG, he called back and they refunded the 50,000 points that had been used at the Hotel Indigo in New York.

In other cases, people are still waiting, like Louis L. Gregory, who has Spire Elite status with IHG. He’s had to deal with 30-minute holds and now a frozen IHG Rewards account. It remains to be seen if he will get his points back.

Harmon said that she got her points back, but had to change the email address associated with her account, while Larson had her points reinstated, but under an entirely new account.

Secure Your Account

While far from hack-proof, changing your pin often can help. It can sometimes be hard to tell when an account has been hacked so make sure you check your IHG rewards account often. You can also sign up for a service like AwardWallet that will help notify you if there’s been a change in your point balance.

When asked about the security breaches and fraudulent activity, an IHG spokesperson said:

“IHG takes the security of member information very seriously, and we are continuously monitoring our systems. We also encourage members to periodically change their log in details to protect the security of their accounts.

Our systems and security do not show any concentrated hacking activity in recent days. However, if IHG Rewards Club members suspect improper activity on their accounts, they are encouraged to contact IHG Rewards Club member services at 1-800-334-5194 or global.fraud.protection@ihg.com.”

Featured image by Andrew Brookes / Getty Images.

Capital One® Savor® Cash Rewards Credit Card

This cash back card has a focus on dining and entertainment where you can earn unlimited 4% cash back in those spending categories. You can also earn 2% cash back at grocery stores and 1% cash back on all other purchases.

Apply Now
More Things to Know
  • Earn a one-time $500 cash bonus after you spend $3000 on purchases within the first 3 months from account opening
  • Earn unlimited 4% cash back on dining and entertainment, 2% at grocery stores and 1% on all other purchases
  • No rotating categories or sign-ups needed to earn cash rewards; plus cash back won't expire for the life of the account and there's no limit to how much you can earn
  • No foreign transaction fees
  • Access to premium experiences in dining, entertainment and more
  • $0 intro annual fee for the first year, $95 after that
Intro APR on Purchases
N/A
Regular APR
16.24% - 25.24% (Variable)
Annual Fee
$0 intro for first year; $95 after that
Balance Transfer Fee
$0
Recommended Credit
Excellent, Good

Editorial Disclaimer: Opinions expressed here are author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.