• Welcome to the FREE TUGBBS forums! The absolute best place for owners to get help and advice about their timeshares for more than 32 years!

    Join Tens of Thousands of other owners just like you here to get any and all Timeshare questions answered 24 hours a day!
  • TUG started 32 years ago in October 1993 as a group of regular Timeshare owners just like you!

    Read about our 32nd anniversary: Happy 32nd Birthday TUG!
  • TUG has a YouTube Channel to produce weekly short informative videos on popular Timeshare topics!

    All subscribers auto-entered to win all free TUG membership giveaways!

    Visit TUG on Youtube!
  • TUG has now saved timeshare owners more than $24,000,000 dollars just by finding us in time to rescind a new Timeshare purchase! A truly incredible milestone!

    Read more here: TUG saves owners more than $24 Million dollars
  • Wish you could meet up with other TUG members? Well look no further as this annual event has been going on for years in Orlando! How to Attend the TUG January Get-Together!
  • Now through the end of the year you can join or renew your TUG membership at the lowest price ever offered! Learn More!
  • Sign up to get the TUG Newsletter for free!

    Tens of thousands of subscribing owners! A weekly recap of the best Timeshare resort reviews and the most popular topics discussed by owners!
  • Our official "end my sales presentation early" T-shirts are available again! Also come with the option for a free membership extension with purchase to offset the cost!

    All T-shirt options here!
  • A few of the most common links here on the forums for newbies and guests!

bonvoy account hacked

lorenmd

lorenmd

TUG Member
Joined
Sep 30, 2010
Messages
398
Reaction score
90
Location
seattle
i know it's not vistana but they are linked. bonvoy security wasn't good enough to prevent hackers. they got my account information, requested to change my email address, then requested to change my cell phone number, then changed my password, and from there, they used up all my points making hotel reservations. all they had to do was add their name on as my guest. the first couple had a nice 200k stay at the westin, but then i happen to check my account through the app on my phone which kept me logged in, and i saw that i had two hotel check ins scheduled for today. i sent a chat immediately and called bonvoy. they were able to see that the changes happened dec 24. two couples had already checked in. i got their phone number and email. then we were able to change everything back to my name. then they locked the couples out of their rooms and called the police. somehow one couple was able to get housekeeping to let them in, they grabbed their stuff and left. the other couple in seattle was confronted. needless to say it is quite concerning that bonvoy did not have some security in place to notify the email on file for the last 20 years, that a request had been made to change. the messed up. all my points will be reinstated, but they still messed up. I also had my amex card as a guarantee so amex stepped in too. need to check vistana to make sure they didn't screw that account up but a week long stay is probably not something they want to try and hack. Happy New Year everyone. travel will resume someday
 
That sucks.


Sent from my iPad using Tapatalk
 
Good they responded quickly and tracked them down. Seems like a stupid hack as its not hard to find them in your room!!

Not sure what you mean by "Bonvoy security wasn't good enough to prevent hackers." I doubt they hacked Bonvoy. You said one couple stayed in Seattle, were the others as well? Sounds like an "inside" job, like someone in Seattle. Maybe someone you know?
 
davidvel said:
Good they responded quickly and tracked them down. Seems like a stupid hack as its not hard to find them in your room!!

Not sure what you mean by "Bonvoy security wasn't good enough to prevent hackers." I doubt they hacked Bonvoy. You said one couple stayed in Seattle, were the others as well? Sounds like an "inside" job, like someone in Seattle. Maybe someone you know?
Click to expand...
no the other was in DC. they saw places i had stayed and sold my points to people who wanted to stay there. not an inside job. the person who answered the phone had a foreign accent. yes they hacked bonvoy. bonvoy told me it was happening to them across the country. loyalty members are not really traveling so we aren't noticing our accounts. i just happened to need a hotel at the airport tonight or i would never had spotted the two check ins from today
 
They almost got my Chase Rewards Miles but I got notification of email, phone and address changes on my account and called right away. They had already started stealing them but Chase was able to stop it and reverse the transfer. My address was changed to somewhere in Texas but the email ended with .us making me think they are not in the U.S. They hit several accounts including my Bonvoy account but either Chase restored them or the account was locked before they got them.
 
I use awardwallet to track all my loyalty points. It updates the accounts and keeps track of when all the points expire. It would have kicked out an error message about an inability to update the account because of an incorrect password.
 
lorenmd said:
needless to say it is quite concerning that bonvoy did not have some security in place to notify the email on file for the last 20 years
Click to expand...
I know some websites will send an email to the previous email address when the email address is updated. Did that not happen?

Question about your password. Did you use the password with any other websites or even email accounts. I had this happen a few years ago with our Yahoo email and MyPoints. Yahoo has been compromised more times than anyone can count. I was using the same password for my email that I was using for MyPoints. When they got access to the Yahoo email account, they could easily see that I was getting emails from MyPoints. So they then just tried my email password in MyPoints and it worked. They burnt through my MyPoint by redeeming for Amazon gift cards. Since they had access to the email, they redeemed those codes on Amazon right away. My lesson learned here is to never use the same password for different accounts. You can use password keeper software to generate random complex passwords for each website and then have the program remember those. Google Chrome has something similar if you work entirely in the Chrome ecosystem.
 
What could have happened here was that whoever hacked your account and made the reservations turned around and rented them for cash. So the person actually staying in the room wasn't necessarily the hacker and could also be a victim.
 
Born2Travel said:
<clip>My address was changed to somewhere in Texas but the email ended with .us making me think they are not in the U.S. <clip>
Click to expand...
Actually it should show they were in the US...

Per wikipedia:
.us is the Internet country code top-level domain (ccTLD) for the United States. It was established in early 1985. Registrants of .us domains must be U.S. citizens, residents, or organizations, or a foreign entity with a presence in the United States.
 
dioxide45 said:
I know some websites will send an email to the previous email address when the email address is updated. Did that not happen?

Question about your password. Did you use the password with any other websites or even email accounts. I had this happen a few years ago with our Yahoo email and MyPoints. Yahoo has been compromised more times than anyone can count. I was using the same password for my email that I was using for MyPoints. When they got access to the Yahoo email account, they could easily see that I was getting emails from MyPoints. So they then just tried my email password in MyPoints and it worked. They burnt through my MyPoint by redeeming for Amazon gift cards. Since they had access to the email, they redeemed those codes on Amazon right away. My lesson learned here is to never use the same password for different accounts. You can use password keeper software to generate random complex passwords for each website and then have the program remember those. Google Chrome has something similar if you work entirely in the Chrome ecosystem.
Click to expand...
that was my biggest question. why did you not send an email to the oiginal email on file saying your account email has been changed. if you did this then ignore. if you did not then pleas econtact us. that is the standard, and when instacart was hacked and then bonvoy i never received those emails. the chat function at the hotel desks works very well though. i sent chat that it was a fraudulent check in while i was on a long hold to talk to bonvoy and then the front desk knew something was happening. they did need to wait to hear from bonvoy before tehy locked the guests out. the guests probably bought the points and one was instructed to say he was my son in law. nope
 
dioxide45 said:
What could have happened here was that whoever hacked your account and made the reservations turned around and rented them for cash. So the person actually staying in the room wasn't necessarily the hacker and could also be a victim.
Click to expand...
yes i think that's what goes on but they were instructed to say they were my son in law so they knew it was illegal activity
 
lorenmd said:
that was my biggest question. why did you not send an email to the oiginal email on file saying your account email has been changed. if you did this then ignore. if you did not then pleas econtact us. that is the standard, and when instacart was hacked and then bonvoy i never received those emails. the chat function at the hotel desks works very well though. i sent chat that it was a fraudulent check in while i was on a long hold to talk to bonvoy and then the front desk knew something was happening. they did need to wait to hear from bonvoy before tehy locked the guests out. the guests probably bought the points and one was instructed to say he was my son in law. nope
Click to expand...

That is how I was notified, but I think maybe you need to sign up for those notifications in your account.
 
You must log in or register to reply here.
Top