Several folks had their Starwood Preferred Guest accounts drained over the past week, many of whom have shared their stories with me.
[A] Starwoods-specific account-checking tool that was released for free on Leakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts.
What it did was simply let folks check to see if data that had been stolen in other hacks could be used to access Starwood accounts.
Since people use their email address as a user ID, and the same passwords across many sites, simply taking a database of stolen usernames and passwords will generate a good hit ratio across other sites.
Not everyone on one site is a member of another. And of course usernames and passwords do vary.
- Every site will tell you to use a unique strong password
- Every site will tell you to change your password regularly
- Nobody does it, and few sites are really serious about it
In fact, most sites don’t really want you to use a unique strong password that you change all the time. Because if you do you’re going to forget it, and you won’t be able to easily access their site. And they want you to easily, regularly, engage with their site.
There’s not a great solution to the commercial needs which conflict with security needs. While strong, regularly changed passwords are great against mass hackings, which is how most data is taken nowadays, it also means that people will forget their passwords so they have to write them down. In a central place. Often in a spreadsheet, that’s on their computer or in a gmail account. Which is hackable.
How much does a hacked Starwood account bring?
One seller advertised a Starwood account with 70,000 points for sale at just $3, while accounts with about 40,000 points sold for $1.50.
What’s amazing is that that’s even less than what Hilton points sell for on the DarkNet.
Starwood’s Chris Holdren assures members that no one will lose a single point over this hack. That’s great, and it’s important for assuring continued guest engagement and loyalty. But it’s also the kind of indemnification that ensures members have little incentive to change behavior — since it’s costless to use the same password, almost everyone will continue to do so.
With all the hacks, are you changing your passwords? Do you think you’ll remain vigilant going forward?