How Starwood Got Hacked Over the Past Week

Several folks had their Starwood Preferred Guest accounts drained over the past week, many of whom have shared their stories with me.

Krebs on Security has the story on how it happened.

[A] Starwoods-specific account-checking tool that was released for free on Leakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts.

What it did was simply let folks check to see if data that had been stolen in other hacks could be used to access Starwood accounts.

Since people use their email address as a user ID, and the same passwords across many sites, simply taking a database of stolen usernames and passwords will generate a good hit ratio across other sites.

Not everyone on one site is a member of another. And of course usernames and passwords do vary.

  • Every site will tell you to use a unique strong password
  • Every site will tell you to change your password regularly
  • Nobody does it, and few sites are really serious about it

In fact, most sites don’t really want you to use a unique strong password that you change all the time. Because if you do you’re going to forget it, and you won’t be able to easily access their site. And they want you to easily, regularly, engage with their site.

There’s not a great solution to the commercial needs which conflict with security needs. While strong, regularly changed passwords are great against mass hackings, which is how most data is taken nowadays, it also means that people will forget their passwords so they have to write them down. In a central place. Often in a spreadsheet, that’s on their computer or in a gmail account. Which is hackable.

How much does a hacked Starwood account bring?

One seller advertised a Starwood account with 70,000 points for sale at just $3, while accounts with about 40,000 points sold for $1.50.

What’s amazing is that that’s even less than what Hilton points sell for on the DarkNet.

Starwood’s Chris Holdren assures members that no one will lose a single point over this hack. That’s great, and it’s important for assuring continued guest engagement and loyalty. But it’s also the kind of indemnification that ensures members have little incentive to change behavior — since it’s costless to use the same password, almost everyone will continue to do so.

With all the hacks, are you changing your passwords? Do you think you’ll remain vigilant going forward?

(HT: @LDRydr)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. This hack and other similar recent attacks are the singular most important reason that loyalty programs should allow services such as award wallet access to their accounts. If you check your balance every day, you will quickly be able to catch any kind of theft such as these attacks at Starwood. Companies such as United and Delta and should be ashamed of themselves for blocking award wallet.

  2. “There’s not a great solution to the commercial needs which conflict with security needs.”

    Sure there is: password managers. Only one strong password is required, and you can enable two-factor authentication.

  3. One solution to this problem could be that a layer of authentication can be added anytime you are going to pull points out of your accounts. So let’s say you are going to transfer out 10000 points then you have to put in a code via text message or email (and of course, starwood should send an email and/or text message if you make a change your contact information).

  4. I have hundreds of logins. Impossible to change passwords, even when using Roboform or other password manager. I’d be constantly changing. Best way is two factor authentication for accounts that matter. I’m amazed how weak many financial institutions logins are.

    But there have been more hacks of SPG than this recent one. Plenty of people on FT have mentioned their accounts have been hacked over the last year.

  5. @paul, look at the popular password managers. I know at least 2 or 3 of them allow you to do a mass change of all saved passwords with just a few clicks. It does only work at major sites, but that takes care of your biggest risks.
    Most of the password managers also allow some sort of 2FA for the “master” password.

  6. To create a different password for each site, but one that you can always remember, do something like this: evergreen_____22#. In the blank put the name of the web site…amazon, flickr, chase, newyorktimes, wherever it is you’re using your password. So your amazon password would be evergreenamazon22#

  7. Brian Cohen claims his SPG password was unique. Don’t know if that’s the truth or not but that’s what he says. I’m inclined to go with Krebs here myself.

    And I second what others have said–use a password manager. There are a number of good ones. I use LastPass. But OnePassword is very popular as well. Get used to using it. Its only a slight pain in the ass.

  8. @Andrew, while that’s better than reusing the same identical password everywhere, it’s only slightly so. Any hacker who has obtained a password database will know what site they got it from. If they see username : password = Andrew:evergreenviewfromthewing22#, one of the first things they will try is Andrew:everygreenSPG22# to see if you have an SPG account, evergreenamex22# for an Amex account, etc.

    So, if that’s your password convention, at least make sure to use a nickname for the site, rather than the site itself. For example use “jungle” instead of “amazon”. That’s still not ideal, but it is a further step in the right direction.

  9. “But it’s also the kind of indemnification that ensures members have little incentive to change behavior — since it’s costless to use the same password, almost everyone will continue to do so.”

    @Gary – I’d disagree here, at least with the specific claim that it’s “costless” to have your account hacked. It’s a PITA if the hacker changes anything (might not have in this case, but they’ll wise up soon enough) like your email address, name, or password. And that PITA, completely ignoring the stress involved, takes time to sort out. It’s also not like a credit card, where you at least know the law (FCRA) is on your side if you report the theft in a timely manner.

    Those are all real costs, and strong disincentive to allowing hackers to easily steal your credentials. I say that as someone who constantly reminds others not to worry about having their credit card information stolen specifically because of the strong legal protections (and robust risk management at AmEx!).

Leave a Reply

Your email address will not be published. Required fields are marked *