Some IHG Rewards Accounts Hacked, Points Stolen
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.
One of the world’s largest hotel brands has a problem with hacking. Over the last few weeks, TPG has received multiple reports from readers that their IHG Rewards Club accounts had been hacked. According to those reports, tens of thousands and sometimes almost a million points have been stolen and used for fraudulent hotel bookings, and readers sometimes have had trouble getting their points reinstated. Here’s what happened, and what you can do to make your account more secure.
TPG has received multiple reports from readers (in addition to seeing others across the web) about their IHG accounts being hacked and their points being lost or stolen due to these intrusions. And this isn’t the first time IHG has had cybersecurity issues. In April IHG said that it had been hit by a massive credit card data breach in 2016.
Reader reports of hacks usually involve them checking their IHG account and finding that their points are missing. Some readers have received notifications of activity, while others only found out once they logged into their account.
Most readers don’t even receive notifications when a hotel is booked through their account, like TPG reader Louis L. Gregory, who lost almost one million points through a hack:
Gregory said IHG didn’t recognize that the bookings were fraudulent and that he’s now locked out of his own account because of the breach.
Another TPG reader, Drew B., said that his account was hacked and the intruders booked two 50,000 point nights at the Intercontinental Tokyo. The only way he was notified of the fraud was by a notification received from IHG that he received a 600 point bonus for the stay — although Drew B. was never notified about the booking of the hotel itself.
According to posts in a Flyertalk thread called “Account Hacked, Points Spent,” many people had also their IHG Rewards account hacked. User Triger02 said on Flyertalk,
“Received an email from IHG stating that my account information had been updated about 30 minutes ago. I immediately logged in to find out 260,000 points were redeemed, leaving me with 2XXX points. My address had been changed to a Japanese one, and my email address was also changed.”
Multiple members of the TPG Lounge also commented saying they had points stolen, including Adriene Larson, who said “they stole 210k points from me as an ‘order’ transaction and updated my account to a Tokyo address.”
“Someone booked (an) overseas Asian hotel with my points AND my free night! The request for feedback from my ‘stay’ was my only tip-off this had happened,” added Anita Harmon in the Lounge.
Lack of Strong Security
The most likely reason for the hacks is the lack of strong password protection. IHG only requires a four-digit PIN and an email address to access an account.
Alexi Vereschaga, co-founder of AwardWallet, said that the four-digit pin system isn’t very strong, and other cyber-security experts agree that it’s easier to break into accounts with such a limited number of passwords.
“Basically my thought on this is that if your password is a four-digit PIN then you have 10,000 guesses to find the right one, so all you really need to know is the IHG account number,” said Vereschaga. Vereschaga joked that an entire database of debit card PIN codes has been leaked, and looks something like this.
“A 4-digit pin is absolutely not good enough today. An attacker can easily just run through a large list of know email addresses, try to log in with them and give an obvious number like ’1234’ or ’9999’ as the PIN,” said Mikko Hypponen, a cybersecurity expert and chief research officer at F-Secure Corporation. Hypponen added that when given the choice of choosing a four-digit pin about 20% of people choose their birth year.
“Just this trivial attack might give access to a large amount of accounts,” added Hypponen.
A service like AwardWallet can help notify you if your points go missing, since IHG is inconsistent with this. AwardWallet will send you a push notification as soon as it detects any changes in your IHG Account point balance.
Brian Krebs, founder of the blog Krebs on Security said that IHG should move away from the four-digit pin as a password, and implement CAPTCHA protections to combat automated PIN-guessing attacks.
“My guess is attackers have figured out a way to brute-force the PINs, knowing the user’s email address,” said Krebs.
Difficulty Reinstating Points
In most cases, it seems that IHG eventually returned the stolen points back in to the readers accounts, but not always. It took TPG reader Tom Brittnacher dealing with a frozen account for days before he got his points back. Six days after not receiving a followup from IHG, he called back and they refunded the 50,000 points that had been used at the Hotel Indigo in New York.
In other cases, people are still waiting, like Louis L. Gregory, who has Spire Elite status with IHG. He’s had to deal with 30-minute holds and now a frozen IHG Rewards account. It remains to be seen if he will get his points back.
Harmon said that she got her points back, but had to change the email address associated with her account, while Larson had her points reinstated, but under an entirely new account.
Secure Your Account
While far from hack-proof, changing your pin often can help. It can sometimes be hard to tell when an account has been hacked so make sure you check your IHG rewards account often. You can also sign up for a service like AwardWallet that will help notify you if there’s been a change in your point balance.
When asked about the security breaches and fraudulent activity, an IHG spokesperson said:
“IHG takes the security of member information very seriously, and we are continuously monitoring our systems. We also encourage members to periodically change their log in details to protect the security of their accounts.
Our systems and security do not show any concentrated hacking activity in recent days. However, if IHG Rewards Club members suspect improper activity on their accounts, they are encouraged to contact IHG Rewards Club member services at 1-800-334-5194 or firstname.lastname@example.org.”
Featured image by Andrew Brookes / Getty Images.
Welcome to The Points Guy!
WELCOME OFFER: 80,000 Points
TPG'S BONUS VALUATION*: $1,650
CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners
*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.
- Earn 80,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $1,000 when you redeem through Chase Ultimate Rewards®. Plus earn up to $50 in statement credits towards grocery store purchases within your first year of account opening.
- Earn 2X points on dining including eligible delivery services, takeout and dining out and travel. Plus, earn 1 point per dollar spent on all other purchases.
- Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards®. For example, 80,000 points are worth $1,000 toward travel.
- With Pay Yourself Back℠, your points are worth 25% more during the current offer when you redeem them for statement credits against existing purchases in select, rotating categories.
- Get unlimited deliveries with a $0 delivery fee and reduced service fees on eligible orders over $12 for a minimum of one year with DashPass, DoorDash's subscription service. Activate by 12/31/21.
- Count on Trip Cancellation/Interruption Insurance, Auto Rental Collision Damage Waiver, Lost Luggage Insurance and more.
- Get up to $60 back on an eligible Peloton Digital or All-Access Membership through 12/31/2021, and get full access to their workout library through the Peloton app, including cardio, running, strength, yoga, and more. Take classes using a phone, tablet, or TV. No fitness equipment is required.