Connect with us

Hi, what are you looking for?


Data Protection

Marriott Rewards Members Urged to Change Passwords Following Hack Attempts

UPDATE – Members of the Marriott Rewards program were notified on Tuesday of attacks attempting to gain access to user accounts, and asked to change their passwords as soon as possible.

UPDATE – Members of the Marriott Rewards program were notified on Tuesday of attacks attempting to gain access to user accounts, and asked to change their passwords as soon as possible.

Marriott did not initilly provide any additional details into the size and scope of the attack, but deemed the attack significant enough to issue a warning to users, though further details provided to SecurityWeek showed the attack targeted a relatively small number of accounts.

The attacks occured about four weeks ago, and affected less than 100th of 1 percent of the 43 million Marriott Rewards members, a Marriott spokesperson told SecurityWeek.

Recent brute force attacks have hit a number of targets recently, including Nintendo, Konami, WordPress-powered blogs, and even control systems at gas compressor stations.

Marriott Rewards User Accounts Hacked

In the case of the recent Nintendo attack, roughly 15.5 million logins were attempted over a period of about a month, with nearly 24,000 leading to successful account compromise.

While it’s unclear if a brute force attack is what sparked the warnings coming from Marriott, there is a possibility that brute force or password re-use attacks played a part, based on the limited information Marriott provided in the security warning.

“Once we learned of the situation, we immediately launched an investigation to determine the cause and extent of the unauthorized access,” the Marriott spokesperson said.

Advertisement. Scroll to continue reading.

Brands associated with the Marriott Rewards program include The Ritz-Carlton, JW Marriott Hotels & Resorts, Renaissance Hotels, AC Hotels by Marriott, Marriott Hotels & Resorts, Gaylord Hotels, Courtyard by Marriott, Fairfield Inn & Suites by Marriott, SpringHill Suites by Marriott, Residence Inn by Marriott, TownePlace Suites by Marriott. Marriott Vacation Club, Marriott Conference Centers and others.

The following is the notice sent to users with accounts that were not included in the unauthorized login attempts.

Dear [Rewards Member Name],

The security of your Marriott Rewards® member account is of the utmost importance to us. There have recently been attempts made to gain unauthorized access to a small number of members’ online accounts. Although your account was not included in these attempts, as a precaution, we ask that you visit and change your password as soon as possible to assist us in ensuring the security of your account:

• You will need to change your password on from your desktop since updates cannot be made from your mobile device.

• Select a unique password, at least 8 characters long, that is not used with any other online account you may have.

• Security experts urge that a more secure password contains a minimum of one capital letter and one number.

Our Data Privacy and Protection team has been working diligently to implement safeguards to block these attempts and maintain the ongoing security of all member accounts.

These types of online attacks become possible when individuals use the same email address and password combination for multiple online accounts. The email address and password combination becomes more susceptible to being collected via external sources and then used in an attempt to gain unauthorized access to other online accounts, such as your Marriott Rewards account.

If you have any questions, please call Marriott Rewards Guest Services at 800-952-8876 for assistance.

We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our guests entrust to us. Thank you for your prompt attention to this important notice.

SecurityWeek has contacted Marriott for additional details.

*Updated with statement from Marriott including the number of affected Marriott Rewards accounts.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...