My IHG Rewards Club Account was Hacked, Here’s what I Did Next…

Good morning everyone, I hope you had a great weekend. I am happy to report that I avoided a potentially very bad weekend because I found out that my IHG Rewards Club account was hacked on Friday! This is not the first time IHG accounts were hacked. Travel Codex covered a similar story where 2/3 of his IHG points were stolen from his account and IHG would not help him. I will show you how I found out that my IHG account was hacked and what I did next to protect my account. It all started on Friday afternoon around 2:30pm PT when I received these 2 emails from IHG.  Wait a second… I didn’t cancel an IHG hotel reservation or update my email address.  Uhh oh…

I spotted those 2 emails about 30 minutes later and immediately logged into my IHG account.  All of my personal information was the same except the email address was changed on my account.  I immediately changed the email address back and changed my 4 digit PIN to another 4 digit PIN.

I then looked at my account activity.  The only recent activity was the IHG hotel reservation that was cancelled.  I assume the hacker cancelled my points reservation so there would be more IHG points in my account for them to steal.  Luckily, I had 2-3 other IHG reservations booked on points that they did not cancel.

Here are details of the cancelled IHG hotel stay.

After changing my email and PIN, I called IHG customer service to report that my account was hacked.  The sad part was that the IHG rep did not sound surprised, alarmed, or apologetic.  He told me that I should change my PIN (already done) and change my email.  He mentioned that the hacker would only need to know my email and PIN.  If I used the same email as before, the hacker would just need to guess my new PIN.  Therefore, by changing my email address, the hacker would have to figure out my email and my new PIN.  I told the rep I would change the email on my IHG account to a different email address.  I then told him that the hacker cancelled my hotel reservation.  The rep then offered to rebook my hotel reservation.  I guess IHG cannot un-cancel a reservation, so they would need to make a new reservation.  After telling the rep the hotel and travel dates, he rebooked my hotel reservation for me.  I thanked him for his help and hung up.

In the span of 50 minutes, I had my IHG account hacked, reservation cancelled, email changed (by the hacker), email changed (by me), and a new hotel reservation (booked by the IHG rep).

This was a very scary incident and I am glad I caught this very quickly because I am sure my IHG points would be gone by now.  If you have any questions, please let me know.  Have a great day everyone!

10 thoughts on “My IHG Rewards Club Account was Hacked, Here’s what I Did Next…

  1. Dale

    Sorry to hear that. It’s beyond me why they still have a 4 digit code as security. I guess it’s too difficult for them to institute a letters / numbers password system.

      1. Penguin

        Seriously. I joined IHG pretty recently and was appalled that the only thing protecting my account was a 4-digit pin. Passwords are the least they could implement, but judging from other comments it sounds like social engineering by hackers to call and reset someone’s pin/password is pretty simple. Even multi-factor authentication won’t prevent against someone convincing the customer service rep that it’s you and you’ve forgotten your login information.

        IHG needs to put security at the top of their list. These kinds of symptoms suggest that there could be much large lapses like customer data being stored insecurely, or their systems having vulnerabilities. It’ll cost them much more in capital and trust if they don’t change their security culture immediately and something big happens.

  2. Ben

    Just a heads up – in the screenshot showing the 20k point reversal, the date of your stay is shown in the line item description. Might want to add another black box!

    Sorry to hear that you got hacked – really one of my worst miles & points nightmares!

    1. Grant Post author

      Thanks for the heads up. I did my best to black it out on my iPhone. This was scary since I felt like I was racing against the clock to keep my IHG points safe.

  3. Chris w

    You MUST ask a new IHG account number. My account was hacked 4x in a period of 4 weeks. The email is one thing but the number they can also bruteforce it again.

    2 times I was in time too. The other 2 times I was to late. I then got a new number and all transferred. I was also offered compensation points and all accelerate points I would miss on.

    One time I was to late a hacker simply CALLED to IHG to change my pin!!!!!

    You arent secure until a new number eapecially if yr point balance is high.

    1. Grant Post author

      Hi Chris, that is great advice. I will call IHG and ask for a new IHG number and transfer all my account info over to the new number.

  4. Mike C.

    OMG… I’m beginning to wonder if there is anyone left who HASN’T had their IHG account hacked… Mine was hacked & most of the points were taken approx. 6 months ago… :(

    I was finally able to get them re-instated. In my case, email address was not changed, I just happened to login and see that all my points were gone – we eventually figured out that someone had used them to book a hotel in Liverpool, UK, for that specific night – I got on a call with IHG, to the Manager of the Holiday Inn in Liverpool and the guy had just checked in…!!

    It really is crazy that they cannot change from this 4 digit pin…


Got something to say?