Credential-Stuffing Fraud Targeting Hilton Honors Accounts
Attackers use leaked email-and-password pairs from unrelated breaches to log in to Hilton Honors accounts, redeeming accumulated points for free nights, gift cards, or airline miles before the legitimate member notices.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Hilton Honors points represent real monetary value — millions of members accumulate points over years of travel for future free stays and upgrades. This stored value makes Hilton Honors a high-value target for credential-stuffing attacks, where automated tools test leaked login combinations against Hilton's sign-in page.
Hilton itself does not need to have been breached for this fraud to succeed. The victim's email and password were compromised in an entirely different breach — a retail site, a streaming service, or a food-delivery app — and reused on their Hilton Honors account. Automated stuffing tools test billions of such pairs across major loyalty programmes and hospitality sites.
Once inside the account, attackers redeem points quickly for free nights, airline miles, or digital gift cards that can be liquidated or resold. The redemptions are often for dates in the near future, creating completed transactions that are harder to reverse.
How this scam works on the Hilton brand
Stuffing tools run in the background, testing combinations through proxy networks to avoid Hilton's rate-limiting and geo-blocking. A successful login triggers immediate point redemption activity. The attacker changes the notification email address to prevent the legitimate member receiving redemption alerts, or disables email notifications if the account settings allow it.
The most valuable redemptions — free nights at premium city properties or point transfers to airline miles programmes — happen within minutes of account access. Some attackers also change the account profile name and address to prepare for identity-related fraud using the Hilton account as supporting evidence.
Other attackers take a slower approach, logging in and observing upcoming bookings. If an elite-tier member has an upcoming stay, the attacker may modify the booking's room type, add fraudulent charges to the reservation, or attempt to cancel the booking and pocket a refund.
Common red flags
- You receive a Hilton Honors redemption confirmation for a stay or transfer you did not make
- A Hilton Honors login alert arrives from an unfamiliar device or country
- Your points balance has dropped significantly without a corresponding stay or redemption you authorised
- Your Hilton Honors account email address or PIN has been changed without your knowledge
- An upcoming Hilton booking has been modified or cancelled without your action
- You stop receiving Hilton Honors email notifications that you were previously receiving
How to protect yourself
- Use a unique, strong password for your Hilton Honors account — never the same password used on any other service
- Enable two-step verification on your Hilton Honors account under Profile and Settings
- Check whether your email appears in known breaches at haveibeenpwned.com and update any reused passwords immediately
- Review your Hilton Honors points balance and redemption history monthly for any unexplained activity
- Set up login alerts so you receive an email notification for any new device or location signing in to your account
- If you spot fraudulent redemptions, contact Hilton Honors customer service immediately — prompt reporting improves the chance of reversal
How to report it
- Contact Hilton Honors customer service at 1-800-4HONORS to report account fraud and request a points activity investigation
- Report the credential-stuffing fraud to the FTC at reportfraud.ftc.gov
- File a report with the FBI at ic3.gov if the fraud resulted in financial loss
- Change the compromised password on every other service where you used the same email-and-password combination
Frequently asked questions
Can fraudulently redeemed Hilton Honors points be restored?
Hilton Honors can investigate unauthorised redemptions and may reinstate points if the fraud is reported promptly. The sooner you contact them, the better the chance of reversal, especially if the redeemed nights have not yet been used.
My Hilton Honors password is strong — can I still be stuffed?
If your password is unique to Hilton Honors, credential stuffing cannot succeed. The risk arises only when you use the same password elsewhere. A breached third-party site hands attackers the combination to test at Hilton.
What is the quickest way to secure my Hilton Honors account after a suspected takeover?
Change your password immediately, enable two-step verification, review and note your current points balance, and call Hilton Honors customer service to flag the account for review and freeze any pending redemptions.