UPDATE – Members of the Marriott Rewards program were notified on Tuesday of attacks attempting to gain access to user accounts, and asked to change their passwords as soon as possible.
Marriott did not initilly provide any additional details into the size and scope of the attack, but deemed the attack significant enough to issue a warning to users, though further details provided to SecurityWeek showed the attack targeted a relatively small number of accounts.
The attacks occured about four weeks ago, and affected less than 100th of 1 percent of the 43 million Marriott Rewards members, a Marriott spokesperson told SecurityWeek.
Recent brute force attacks have hit a number of targets recently, including Nintendo, Konami, WordPress-powered blogs, and even control systems at gas compressor stations.
In the case of the recent Nintendo attack, roughly 15.5 million logins were attempted over a period of about a month, with nearly 24,000 leading to successful account compromise.
While it’s unclear if a brute force attack is what sparked the warnings coming from Marriott, there is a possibility that brute force or password re-use attacks played a part, based on the limited information Marriott provided in the security warning.
“Once we learned of the situation, we immediately launched an investigation to determine the cause and extent of the unauthorized access,” the Marriott spokesperson said.
Brands associated with the Marriott Rewards program include The Ritz-Carlton, JW Marriott Hotels & Resorts, Renaissance Hotels, AC Hotels by Marriott, Marriott Hotels & Resorts, Gaylord Hotels, Courtyard by Marriott, Fairfield Inn & Suites by Marriott, SpringHill Suites by Marriott, Residence Inn by Marriott, TownePlace Suites by Marriott. Marriott Vacation Club, Marriott Conference Centers and others.
The following is the notice sent to users with accounts that were not included in the unauthorized login attempts.
Dear [Rewards Member Name],
The security of your Marriott Rewards® member account is of the utmost importance to us. There have recently been attempts made to gain unauthorized access to a small number of members’ online accounts. Although your account was not included in these attempts, as a precaution, we ask that you visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account:
• You will need to change your password on Marriott.com from your desktop since updates cannot be made from your mobile device.
• Select a unique password, at least 8 characters long, that is not used with any other online account you may have.
• Security experts urge that a more secure password contains a minimum of one capital letter and one number.
Our Data Privacy and Protection team has been working diligently to implement safeguards to block these attempts and maintain the ongoing security of all member accounts.
These types of online attacks become possible when individuals use the same email address and password combination for multiple online accounts. The email address and password combination becomes more susceptible to being collected via external sources and then used in an attempt to gain unauthorized access to other online accounts, such as your Marriott Rewards account.
If you have any questions, please call Marriott Rewards Guest Services at 800-952-8876 for assistance.
We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our guests entrust to us. Thank you for your prompt attention to this important notice.
SecurityWeek has contacted Marriott for additional details.
*Updated with statement from Marriott including the number of affected Marriott Rewards accounts.