User data of Hilton Hotels have been put on sale on a dark web forum. A forum user under the alias IntelBroker has offered a database of 3.7 million records, belonging to the Hilton Hotels Honors program. The Hotel group and independent analysts have verified that the tranche the details of only about 500,000 Honors accounts.
“Today I have uploaded the Hilton Hotels Honors 2017 Database for you to download,” said the post.
At this time, we can confirm that the 3.7 million records referenced relate to data for approximately 500,000 Honors Members, accounting for less than 0.5 percent of our overall membership,” the hotel group spokesperson told The Cyber Express.
“We are investigating this report closely and taking all appropriate measures to ensure the continued security of our Hilton Honors members’ and guests’ information.”
According to IntelBroker, a hacker forum user, a database of 3.7 million users belonging to the Hilton Hotels Honors has been leaked. According to them, the data contains information such as honors id, address, name, and so on. #UnitedStates 🇺🇸#darkweb #databreach #cyberrisk pic.twitter.com/Km6iZbI0tI
— FalconFeedsio (@FalconFeedsio) January 24, 2023
Hilton Hotels, Honors, and breaches
The threat actor claims that the sample is from a database of users belonging top the Hilton Hotels Honors program, which was stolen by hackers in January 2023.
The Hilton Honors program offers four credit card options, including three for personal use and one for small businesses. All these cards are provided by American Express.
The sample data of Hilton Honors user information shared by the threat actor appears to be from Hilton Tucson El Conquistador Golf & Tennis Resort at Arizona, USA. The reservations show the dates in June 2017, corroborating the threat actor’s statement.
The sample had details such as Honors ID, hotel property, city, state, country, customer’s first name and last name, check in and check out details, room type code etc.
The threat actor under the alias IntelBroker has been active on the forum since October 2022. The person has made over 445 posts over the three month period in the forum.
Hilton Hotels Honors and previous breaches
In November 2015, Hilton Worldwide disclosed a data breach that happened in 2014 and 2015, which affected an unknown number of hotels, customers and payment cards.
Security journalist Brian Krebs reported about the breach at Hilton in September 2015. However, the Hotel group continued to deny any knowledge of the breach for months before conceding that the incident happened indeed.
The group then disclosed that unauthorized malware targeted payment card information in some of its point-of-sale systems.
Krebs raised an alarm in March 2015 about the Hilton Hotels Honors program. At that time, the company was offering 1,000 free awards points to Hilton Honors Awards members who agreed to change their passwords for the online service before April 1, 2015.
However, security researchers Brandon Potter and JB Snyder tracked this campaign and discovered a flaw in the site that allowed anyone to take control of a Hilton Hotels Honors account by simply knowing or guessing its valid 9-digit account number.
The researchers could log in to a Hilton Hotels Honors account and could hijack any other account with just the account number and by altering the site’s HTML content and reloading the page, Krebs reported in March 2015.