This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

One of the world’s largest hotel brands has a problem with hacking. Over the last few weeks, TPG has received multiple reports from readers that their IHG Rewards Club accounts had been hacked. According to those reports, tens of thousands and sometimes almost a million points have been stolen and used for fraudulent hotel bookings, and readers sometimes have had trouble getting their points reinstated. Here’s what happened, and what you can do to make your account more secure.

Accounts Hacked

TPG has received multiple reports from readers (in addition to seeing others across the web) about their IHG accounts being hacked and their points being lost or stolen due to these intrusions. And this isn’t the first time IHG has had cybersecurity issues. In April IHG said that it had been hit by a massive credit card data breach in 2016.

Reader reports of hacks usually involve them checking their IHG account and finding that their points are missing. Some readers have received notifications of activity, while others only found out once they logged into their account.

Most readers don’t even receive notifications when a hotel is booked through their account, like TPG reader Louis L. Gregory, who lost almost one million points through a hack:

Gregory said IHG didn’t recognize that the bookings were fraudulent and that he’s now locked out of his own account because of the breach.

Another TPG reader, Drew B., said that his account was hacked and the intruders booked two 50,000 point nights at the Intercontinental Tokyo. The only way he was notified of the fraud was by a notification received from IHG that he received a 600 point bonus for the stay — although Drew B. was never notified about the booking of the hotel itself.

According to posts in a Flyertalk thread called “Account Hacked, Points Spent,” many people had also their IHG Rewards account hacked. User Triger02 said on Flyertalk,

“Received an email from IHG stating that my account information had been updated about 30 minutes ago. I immediately logged in to find out 260,000 points were redeemed, leaving me with 2XXX points. My address had been changed to a Japanese one, and my email address was also changed.”

Multiple members of the TPG Lounge also commented saying they had points stolen, including Adriene Larson, who said “they stole 210k points from me as an ‘order’ transaction and updated my account to a Tokyo address.”

“Someone booked (an) overseas Asian hotel with my points AND my free night! The request for feedback from my ‘stay’ was my only tip-off this had happened,” added Anita Harmon in the Lounge.

Lack of Strong Security

The most likely reason for the hacks is the lack of strong password protection. IHG only requires a four-digit PIN and an email address to access an account.

Alexi Vereschaga, co-founder of AwardWallet, said that the four-digit pin system isn’t very strong, and other cyber-security experts agree that it’s easier to break into accounts with such a limited number of passwords.

“Basically my thought on this is that if your password is a four-digit PIN then you have 10,000 guesses to find the right one, so all you really need to know is the IHG account number,” said Vereschaga. Vereschaga joked that an entire database of debit card PIN codes has been leaked, and looks something like this.

“A 4-digit pin is absolutely not good enough today. An attacker can easily just run through a large list of know email addresses, try to log in with them and give an obvious number like ’1234’ or ’9999’ as the PIN,” said Mikko Hypponen, a cybersecurity expert and chief research officer at F-Secure Corporation. Hypponen added that when given the choice of choosing a four-digit pin about 20% of people choose their birth year.

“Just this trivial attack might give access to a large amount of accounts,” added Hypponen.

A service like AwardWallet can help notify you if your points go missing, since IHG is inconsistent with this. AwardWallet will send you a push notification as soon as it detects any changes in your IHG Account point balance.

Brian Krebs, founder of the blog Krebs on Security said that IHG should move away from the four-digit pin as a password, and implement CAPTCHA protections to combat automated PIN-guessing attacks.

“My guess is attackers have figured out a way to brute-force the PINs, knowing the user’s email address,” said Krebs.

Difficulty Reinstating Points

In most cases, it seems that IHG eventually returned the stolen points back in to the readers accounts, but not always. It took TPG reader Tom Brittnacher dealing with a frozen account for days before he got his points back. Six days after not receiving a followup from IHG, he called back and they refunded the 50,000 points that had been used at the Hotel Indigo in New York.

In other cases, people are still waiting, like Louis L. Gregory, who has Spire Elite status with IHG. He’s had to deal with 30-minute holds and now a frozen IHG Rewards account. It remains to be seen if he will get his points back.

Harmon said that she got her points back, but had to change the email address associated with her account, while Larson had her points reinstated, but under an entirely new account.

Secure Your Account

While far from hack-proof, changing your pin often can help. It can sometimes be hard to tell when an account has been hacked so make sure you check your IHG rewards account often. You can also sign up for a service like AwardWallet that will help notify you if there’s been a change in your point balance.

When asked about the security breaches and fraudulent activity, an IHG spokesperson said:

“IHG takes the security of member information very seriously, and we are continuously monitoring our systems. We also encourage members to periodically change their log in details to protect the security of their accounts.

Our systems and security do not show any concentrated hacking activity in recent days. However, if IHG Rewards Club members suspect improper activity on their accounts, they are encouraged to contact IHG Rewards Club member services at 1-800-334-5194 or global.fraud.protection@ihg.com.”

Featured image by Andrew Brookes / Getty Images.

The Business Platinum® Card from American Express OPEN

LIMITED TIME OFFER. Aside from the 100,000 points welcome bonus (available until 8/8/18), Amex recently made huge improvements to the Business Platinum Card, including the fact that you will now earn 50% more points on purchases of $5,000 or more, earn 5x on flights and eligible hotels at Amextravel.com and cardholders will receive a $200 airline fee credit each year.

Apply Now
More Things to Know
  • Limited Time Offer: Earn up to 100,000 Membership Rewards® Points.
  • Earn 50,000 Membership Rewards® points after you spend $10,000 & an extra 50,000 points after you spend an additional $15,000 all on qualifying purchases within your first 3 months of Card Membership. Offer ends 8/8/18.†
  • Get 5X Membership Rewards® points on flights and prepaid hotels on amextravel.com.
  • Get 50% more Membership Rewards® points. That's 1.5 points per dollar, on each eligible purchase of $5,000 or more. You can get up to 1 million additional points per year.
  • 35% Airline Bonus: Use Membership Rewards® Pay with Points for all or part of a flight with your selected qualifying airline, and you can get 35% of the points back, up to 500,000 bonus points per calendar year.
  • You can also receive 35% points back on all First and Business class flights, with all airlines available through American Express Travel.
  • You can enjoy access to The American Express Global Lounge Collection℠ offering access to the most lounges across the globe, when compared with other U.S. credit card offerings. As of 11/2017
  • Terms Apply
  • See Rates & Fees
Intro APR on Purchases
N/A
Regular APR
N/A
Annual Fee
$450
Balance Transfer Fee
See Terms
Recommended Credit
Excellent Credit
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.