Accor Account hacked and 129393 Reward points used

my all accor account has been hacked and someone redeemed 129393 points at 3:30 am on 7th may , I immediately informed all accor team and they have ask to fill a disputed form.
Hacker used the points to book iphone 15 pro in gemanay address that cannot be cancelled.
I am worrying whether I will get my points back.
Any help in this regard is appreciated.

 

[finforgo]

Sorry for what happened...
I think its better to take this on X.
Also the address is of company that ships the rewards, try contacting them on the email to atleast hold the shipment

 

[SSV]

How to secure my Accor account?
Because this can happen to anyone of us

You should ask Accor , not us …
Because you are a heavy international spender using your beloved 🪓Atlas . you should harass Accor .. look at my previous post above and grill Accor and get something out from them..
All the best…!!!!

 

[joshuatree]

I am not an Accor user..
Just expressing my personal views from common sense

1) Why can’t they enable 2FA, it is a very simple feature doesn’t cost much unless for some pressing business reason that I am not aware of
2) when people can use these points for purchase of general merchandise why can’t they implement strong security measures
3) when people are able to buy things from this app, why can’t they be able to cancel
4) where are security measures when the order is delivered to an overseas address when compared to ordinary residence address of the customer.. that too a non cancellable order…

All these show negligence of Accor or is it a wilful negligence to use up their points..

As I said all these views purely based on my personal opinion and had no Accor experience at all..

All Accor users think from this angle and raise your concerns to Accor , especially if it is targeted frequently…

I feel something is not right here

Wholeheartedly agree. In the quest for ease of use, many large corporates ignore 2FA. They also have insurance for fraud protection and hence there is no loss to them. It's like the stores in SFO where shop staff just look on as thieves take away stuff.

And yes, there should be further authentication when someone orders to an oversea address. All these are red flags systems should be able to receive and thereafter pause the transaction pending further information, or ask for further authentication.
For instance, years ago I woke up one day to see missed calls from a Malaysia number around 3 AM. I then saw text messages from Citibank stating they suspected my card was fraudulently used and asking me to call back. When I called back to Citi Service in India they asked if I was in the US and had used my card there. I said no and they asked me to fill a simple claim form and credited the amount back some days later. The amount was very small (less than $20) but what was interesting was that Citibank systems immediately detected it as a fraud because it had happened somewhere in the rural Midwest. I suspect some of the red flags could be that I might have had transactions the day before or in India, so logistically would be impossible for me to be there. Another red flag was that I have only visited large cities in the US -- so Citi systems would have noticed that too. Granted, Accor is not a bank and doesn't need the kind of security systems Citibank has, but 2FA is a must!

Incidentally, Accor claims to use 3D Secure where the user is asked a further question which is from his/her bank: Date of Birth / Code via SMS / Answer to a personal question. Unless the hacker has hacked @Nikhil jain 's email too and got an OTP from there. But was there a mobile OTP too?

 

[joshuatree]

How to secure my Accor account?
Because this can happen to anyone of us

This is what Accor suggests, but its very basic stuff -- change password regularly, don't use same password across apps/services. Not a word on additional protection like 2FA.

Help Center

help.accor.com

 

[SSV]

This is what Accor suggests, but its very basic stuff -- change password regularly, don't use same password across apps/services. Not a word on additional protection like 2FA.

Help Center

help.accor.com

Even our local grocery store will have these kinds of security measures if they open an online shopping site..
Pathetic..

 

[drsel]

Password is in account-- advanced settings.
Small letter capital letter number and character 8 to 20 digits long

 

[drsel]

Password can be reset easily from the email so he hacked into the email

 

[drsel]

Someone had hacked into the email of another member of tecno fino and did a password reset for Flipkart using the email.

Then he used credit card saved on Flipkart for one tap spend to buy 15000 gift vouchers of Flipkart.

 

[drsel]

Do not keep any credit card information saved on Amazon Flipkart and other shopping apps or websites

 

[pidugula]

Send an email to the seller mentioned in the order reference and ask for cancellation they will cancel the order and refund back accor points

 

[sourpai]

I immediately changed my password to a more complicated password after reading this post. I too have healthy point balance in the account

P.S: I remember that there was google chrome password breach few months back. All saved passwords in chrome were compromise. It may have been related to that

 

[joshuatree]

Someone had hacked into the email of another member of tecno fino and did a password reset for Flipkart using the email.

Then he used credit card saved on Flipkart for one tap spend to buy 15000 gift vouchers of Flipkart.

Cards saved on e-commerce websites still need OTPs to complete transactions. And not all banks send OTPs by email and SMS.

 

[joshuatree]

Do not keep any credit card information saved on Amazon Flipkart and other shopping apps or websites

No e-commerce website in India stores credit card information in line with RBI guidelines since 2022. Card information is stored with card networks and banks.

https://www.amazon.in/b?tag=ppvzone-21

 

[drsel]

I immediately changed my password to a more complicated password after reading this post. I too have healthy point balance in the account

P.S: I remember that there was google chrome password breach few months back. All saved passwords in chrome were compromise. It may have been related to that

No e-commerce website in India stores credit card information in line with RBI guidelines since 2022. Card information is stored with card networks and banks.

https://www.amazon.in/b?tag=ppvzone-21

On Amazon I can see all my stored and saved credit cards.
I just need to put the CVV and pay

 

[shrewdoc]

On Amazon I can see all my stored and saved credit cards.
I just need to put the CVV and pay

Those are tokens and not actual card details.

Whenever you transact, the stored token is mapped against token vault of the card network, where actual sensitive data is stored, which then goes to the payment gateway and your transaction is then processed by your card issuing bank.

So the eCommerce sites actually maps the generated gibberish token against the customer data to identify what tokens belong to which account.

 

[imuntitled]

Time for Mr @TechnoFino to intervene into this matter and do his magic on twitter just like the way he did for IDFC 😎

 

[rajarchit]

How to order iPhone 15 Pro from Accor Points? 🤔🤔

 

[SSV]

How to order iPhone 15 Pro from Accor Points? 🤔🤔

That is a German skill ..

 

[joshuatree]

How to order iPhone 15 Pro from Accor Points? 🤔🤔

Are you asking how to get it from your account or how to hack someone else's account and get it?

Here is the order page: https://limitlessexperiences.accor.com/iphone-15-128-gb-1concepts

 

[imuntitled]

Are you asking how to get it from your account or how to hack someone else's account and get it?

Here is the order page: https://limitlessexperiences.accor.com/iphone-15-128-gb-1concepts