# WM Password Compromised?  Maybe not.



## DaveNV (Jul 3, 2021)

So I attempted to log into the WorldMark website this afternoon.  Nothing unusual about that.  But when I entered my password, I got a warning saying my password had been involved in a data breach, and they recommended I change it.  This gives me tremendous pause.  My WorldMark password is one I made up specifically for that site.  it is not recorded anywhere, and is not used anywhere except in the one place on the WM site.  For it to be involved in a data breach is bad enough, but for WorldMark to not say anything?  That seems pretty reckless, and very poor site management.

So in the name of safety, I changed my password.  It said it recorded the change, and all was well.  But then, when I tried to log in using the new password, I got a new warning, saying either my password or Member Number weren't valid.  I knew the Member Number was correct, so I reentered the new password.  Same thing.  I did it a third time.  Same thing.  So I entered my old password instead, and it let me right in on the first try.  Say what??

What's up with the WorldMark website?  Has this happened to anyone else?

Dave


----------



## travelhacker (Jul 3, 2021)

DaveNV said:


> So I attempted to log into the WorldMark website this afternoon.  Nothing unusual about that.  But when I entered my password, I got a warning saying my password had been involved in a data breach, and they recommended I change it.  This gives me tremendous pause.  My WorldMark password is one I made up specifically for that site.  it is not recorded anywhere, and is not used anywhere except in the one place on the WM site.  For it to be involved in a data breach is bad enough, but for WorldMark to not say anything?  That seems pretty reckless, and very poor site management.
> 
> So in the name of safety, I changed my password.  It said it recorded the change, and all was well.  But then, when I tried to log in using the new password, I got a new warning, saying either my password or Member Number weren't valid.  I knew the Member Number was correct, so I reentered the new password.  Same thing.  I did it a third time.  Same thing.  So I entered my old password instead, and it let me right in on the first try.  Say what??
> 
> ...


I've seen these pop up as a warning from Chrome. Is that how you saw this message? Essentially Google keeps track of compromised passwords and warns you not to use a password that is associated with you that has been compromised.

Here's a blog on how this works:








						Better password protections in Chrome - How it works
					

Posted by Patrick Nepper, Kiran C. Nair, Vasilii Sukhanov and Varun Khaneja, Chrome Team     Today, we announced  better password protection...




					security.googleblog.com
				




It could also be a worldmark specific warning, and I would guess it works in a similar way, but perhaps Worldmark found they were compromised and are now advising users to change their passwords.


----------



## DaveNV (Jul 3, 2021)

I'm not using Chrome.  I also don't use that WM password anywhere else. So if it was compromised, it happened specifically on the WM site.

If it wasn't compromised, then why would their website tell me it was?  The pop-up looked the same as the other pop-ups I've seen on the WM site.

Dave


----------



## easyrider (Jul 5, 2021)

Something is wrong regarding Wyndham's software. My reservation for this next trip says Welcome to Seaside and then right below that has all the info for McCall. I'm going to call the resort to make sure they have my reservations.

As far as passwords go I was told on a different forum to never use a link to change a password. 

Bill


----------



## sjsharkie (Jul 6, 2021)

DaveNV said:


> So I attempted to log into the WorldMark website this afternoon.  Nothing unusual about that.  But when I entered my password, I got a warning saying my password had been involved in a data breach, and they recommended I change it.  This gives me tremendous pause.  My WorldMark password is one I made up specifically for that site.  it is not recorded anywhere, and is not used anywhere except in the one place on the WM site.  For it to be involved in a data breach is bad enough, but for WorldMark to not say anything?  That seems pretty reckless, and very poor site management.
> 
> So in the name of safety, I changed my password.  It said it recorded the change, and all was well.  But then, when I tried to log in using the new password, I got a new warning, saying either my password or Member Number weren't valid.  I knew the Member Number was correct, so I reentered the new password.  Same thing.  I did it a third time.  Same thing.  So I entered my old password instead, and it let me right in on the first try.  Say what??
> 
> ...


Dave, based on your description, this is a browser warning.  The browser is checking databases of credentials involved in known breaches -- and reporting to you that this particular password has been exposed in a previous breach.  WorldMark is not involved in the warning in this case -- what your browser is recommending that you change your password via the WorldMark site.  I'd recommend using a password manager solution like LastPass to store unique passwords for each site you visit.

On why your password is not being changed by WorldMark, not sure.  You should have gone to your profile on the WorldMark site and changed it there -- changing it in your browser vault will not change it on the WorldMark site for example.  It is important because over time, hackers will attempt to monetize these password lists and they could potentially do that through a site like WorldMark.  (I just changed my password on WorldMark and it worked so not sure why you are seeing the behavior above when changing your password other than my guess above.)

Good luck.

-ryan


----------



## sjsharkie (Jul 6, 2021)

Oh, and here's a good, safe site to check for yourself if your email address has been involved in a breach:


			https://haveibeenpwned.com/
		


... and if your password has been compromised in a breach:








						Have I Been Pwned: Pwned Passwords
					

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.




					haveibeenpwned.com
				




It is considered safe (nothing is ever 100% risk free, but this site is as close as you will get) -- it is run by Troy Hunt, a well-known Microsoft security expert.

-ryan


----------



## DaveNV (Jul 6, 2021)

Thank you, Ryan, for that info.  You may be exactly right - I am certainly willing to hang the blame on my browser.    I use Safari on a Mac, so who knows what sort of shenanigans it's pulling in the background.  The thing is, I did change the password at the WorldMark site, or at least I thought I did. And I have never used that password anywhere but at the WM site. So if it truly associated that password with that username, then the only place a breach could have occurred would be on the WM site - if it was even real.

Nothing has happened since then, and I have not been challenged again, so I don't know what the heck it was all about.  I'm pretty smart about computer stuff, and this one was a strange one.    

Dave


----------



## Ty1on (Jul 6, 2021)

DaveNV said:


> Thank you, Ryan, for that info.  You may be exactly right - I am certainly willing to hang the blame on my browser.    I use Safari on a Mac, so who knows what sort of shenanigans it's pulling in the background.  The thing is, I did change the password at the WorldMark site, or at least I thought I did. And I have never used that password anywhere but at the WM site. So if it truly associated that password with that username, then the only place a breach could have occurred would be on the WM site - if it was even real.
> 
> Nothing has happened since then, and I have not been challenged again, so I don't know what the heck it was all about.  I'm pretty smart about computer stuff, and this one was a strange one.
> 
> Dave



I know you know this, but for those reading this that may not.....

Never, ever, follow a link or fill out a form that pops up suggesting you change your password.  It may be on the up and up, or it may be phishing, even if it looks like it is from your legitimate website.  Open a new browser window, log onto the site for which a pw change was suggested, and follow the normal password change procedure there.  Also, if you think you changed your password but find that you didn't when you try to log on, change your pw as I described immediately, your first attempt may have given your actual pw away to a phish.


----------



## DaveNV (Jul 6, 2021)

Ok, I just went to WorldMark's website.  I logged in normally, using the password I've had all along.  It let me in just fine.  I then clicked the "Change Email, Password, or Notifications" link at the bottom of the page.  I entered a brand new password, and re-entered it, as requested.  At the bottom of the page I had to enter my current password, and clicked Submit.  It said I had changed my password.

I logged out, then tried to log in again, using the brand new password I'd created.  It said "Your Owner Number of Password is Invalid."

I then logged in using the old password, and it let me in like nothing is wrong.

So something isn't working.    

Dave


----------

