Back in April, we started hearing from readers and travelers that Hilton Honors points were being stolen through Amazon. Somehow, Hilton Honors accounts were being fraudulently linked to an unknown Amazon account, and their Hilton points were used to make purchases via the Hilton and Amazon shop with points feature.
Months later, it's clear the situation hasn't been resolved. We still hear from users almost daily that huge sums of Hilton Honors points had been taken from their accounts. And though many report some success in getting those points restored, there's an ongoing problem.
But not according to Hilton. In a statement to Thrifty Traveler, the hotel chain urged any member who has had points stolen from their account to reach out to Hilton at 1 (800) 548-8690 or through the Hilton Honors Support Page. They vowed to “investigate and make the member whole,” but suggested these issues are relatively minor.
“We ask you to keep in mind the context of our 89+ million member program, as we don’t want to create the incorrect impression that our systems have been breached or there is a widespread issue,” a hotel chain spokeswoman said.
The Hilton spokeswoman did not respond to several questions about the scope of the issue and how many accounts may have been affected.
How are Hilton Points Being Stolen?
Hilton has a massive reach, so what qualifies as a “widespread issue” is relative. But it seems clear that many users have logged into their Hilton accounts only to find a stash of points has been stolen. It's not an isolated problem.
While Hilton has vowed to restore points for affected users, it's unclear how long that process takes – we've heard from many travelers who are still waiting weeks later.
The problem goes back to the ability to use Hilton points for purchases at Amazon, one of several changes Hilton made to its Honors program back in 2017. By linking your Hilton and Amazon accounts, you can buy things on Amazon by using Hilton points at a rate of 0.02 cents each – so 500 points = $1 on Amazon. This is a poor value and we wouldn't recommend using Hilton points on Amazon.
But here's the big issue: There is nothing stopping you, or any user, from linking a Hilton Honors loyalty account to an Amazon account with different names. It seems hackers gain control of Hilton Honors accounts, then connect a different Amazon account. From there, they can use the points to shop on Amazon.
If that happens, users get the following email, and shortly afterward, all of their Hilton Honors points disappear as they are used to make purchases via an unknown Amazon account.
The simple solution here appears to be a verification process to ensure the owner of the Hilton Honors and Amazon account are the same person. It seems that's not in the cards, at least yet.
The Hilton spokeswoman encouraged members to “protect Hilton account information the same way they would an email or bank account, which includes reviewing account transactions on a regular basis and using strong passwords that are frequently changed.”
How Can You Protect Yourself?
Because hackers appear to be accessing Hilton accounts, we strongly recommend updating your Hilton Honors account password. It's hard to know for sure, but these hackers may be gaining access to Hilton accounts from a past data breach, perhaps exposing different accounts where users have the same login credentials as with Hilton. Updating your password should help stop this problem in its tracks.
Unfortunately, through our research, you can have multiple Amazon accounts linked to the same Hilton account, so proactively linking to your Amazon account won't be enough to stop the potential theft of your Hilton Honors points.
The scope of this breach is a mystery, but it seems obvious there is a serious problem here. Months later, we still constantly hear from readers about points getting stolen.
Make sure to update your Hilton Honors account password as that appears to be the start of the fraudulent activity.
Editorial Note: Any opinions, analyses, reviews, or recommendations expressed in this article are those of the author’s alone, and have not been reviewed, approved, or otherwise endorsed by any card issuer.