Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Marriott Rewards Members Urged to Change Passwords Following Hack Attempts

UPDATE – Members of the Marriott Rewards program were notified on Tuesday of attacks attempting to gain access to user accounts, and asked to change their passwords as soon as possible.

UPDATE – Members of the Marriott Rewards program were notified on Tuesday of attacks attempting to gain access to user accounts, and asked to change their passwords as soon as possible.

Marriott did not initilly provide any additional details into the size and scope of the attack, but deemed the attack significant enough to issue a warning to users, though further details provided to SecurityWeek showed the attack targeted a relatively small number of accounts.

The attacks occured about four weeks ago, and affected less than 100th of 1 percent of the 43 million Marriott Rewards members, a Marriott spokesperson told SecurityWeek.

Recent brute force attacks have hit a number of targets recently, including Nintendo, Konami, WordPress-powered blogs, and even control systems at gas compressor stations.

Marriott Rewards User Accounts Hacked

In the case of the recent Nintendo attack, roughly 15.5 million logins were attempted over a period of about a month, with nearly 24,000 leading to successful account compromise.

While it’s unclear if a brute force attack is what sparked the warnings coming from Marriott, there is a possibility that brute force or password re-use attacks played a part, based on the limited information Marriott provided in the security warning.

“Once we learned of the situation, we immediately launched an investigation to determine the cause and extent of the unauthorized access,” the Marriott spokesperson said.

Brands associated with the Marriott Rewards program include The Ritz-Carlton, JW Marriott Hotels & Resorts, Renaissance Hotels, AC Hotels by Marriott, Marriott Hotels & Resorts, Gaylord Hotels, Courtyard by Marriott, Fairfield Inn & Suites by Marriott, SpringHill Suites by Marriott, Residence Inn by Marriott, TownePlace Suites by Marriott. Marriott Vacation Club, Marriott Conference Centers and others.

Advertisement. Scroll to continue reading.

The following is the notice sent to users with accounts that were not included in the unauthorized login attempts.

Dear [Rewards Member Name],


The security of your Marriott Rewards® member account is of the utmost importance to us. There have recently been attempts made to gain unauthorized access to a small number of members’ online accounts. Although your account was not included in these attempts, as a precaution, we ask that you visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account:


• You will need to change your password on Marriott.com from your desktop since updates cannot be made from your mobile device.

• Select a unique password, at least 8 characters long, that is not used with any other online account you may have.

• Security experts urge that a more secure password contains a minimum of one capital letter and one number.


Our Data Privacy and Protection team has been working diligently to implement safeguards to block these attempts and maintain the ongoing security of all member accounts.


These types of online attacks become possible when individuals use the same email address and password combination for multiple online accounts. The email address and password combination becomes more susceptible to being collected via external sources and then used in an attempt to gain unauthorized access to other online accounts, such as your Marriott Rewards account.

If you have any questions, please call Marriott Rewards Guest Services at 800-952-8876 for assistance.


We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our guests entrust to us. Thank you for your prompt attention to this important notice.

SecurityWeek has contacted Marriott for additional details.

*Updated with statement from Marriott including the number of affected Marriott Rewards accounts.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...