Hilton Honors Points Amazon Hack and How to Keep Your Accounts Safe

It’s recently come to light that Hilton Honors accounts are being hacked, and the stolen points are being used for purchases on Amazon. Hackers are breaking into Hilton accounts, linking it to an unaffiliated Amazon account, and then redeeming HHonors points for purchases.

We recommend linking your Hilton Honors account to Amazon since it can only be used on one account. However, don’t use HHonors points on Amazon purchases; it’s a terrible use of points.

Hacked 1(1).JPG
Hacked 2.JPG


The hackers don’t need access to your Amazon account to connect the two accounts. My guess is that the accounts weren’t hacked using brute force (predicting passwords) since Hilton locks your account after five failed login attempts.

The likely scenario is that another account was compromised, and the hackers are trying the same password and email combination to see what they can access.

Most people use the same exact password and email combinations for the majority, if not all, of their accounts. If ONE account is compromised, then the hackers essentially have access to all of your accounts.

How to Check If You Accounts Have Been Compromised

  1. Check if any of your accounts have been hacked using Have I Been Pwned: https://haveibeenpwned.com/

  2. Protect yourself using a password manager like 1Password or Dashlane

  3. Enable 2-factor authentication

  4. Subscribe to notifications for any other breaches

One way to proactively prevent all of your accounts being compromised by one hack is to use different passwords for each account.

I recommend using a password manager like 1Password or Dashlane to keep your accounts safe. Password managers store your account logins and also use auto-fill on login pages.

The benefit of using a password manager is that it can generate complicated passwords and store them for you. If an account is compromised, you can change the password instantly with a click of a button.

Your master password is the key to your other passwords. Think of it like a bank vault key. The master password should be complex and unique, and only known by you.

If the password manager is hacked, the account information is encrypted, and hackers wouldn’t be able to access it without the master password.

Alternative Options

Before using a password manager, I use to create complicated password combinations using the method below.

Password example: Cm15Y@nMh!p

Call me Ishmael. Some years ago - never mind how long precisely.”

The first step is to come up with a core password, and then add qualifiers for each account.

As you can see, the password is long and complicated with upper case, lower case, numbers, and special characters.

In this example, the core password would be the first letter from each word in the sentence, modified in a way I would remember.

Modified password example: F5Cm15Y@nMh!p!

If this was a Delta account login, I added “F5” to the front of the core password and “!” at the end.

  • F = flight

  • 5 = number of letters in the word “Delta”

  • ! = emotion I’m feeling when I fly Delta

Ideally, you have more than one modified qualifier to add to the core password for each account.


If you have a complicated password for your primary email that’s different from any other account, along with 2-factor authentication enabled, you should be fine.

One way to add an extra security level to your accounts is to buy a domain and create a different email alias for each account. If you’re using GSuite, you can set the primary email as the catch-all.

For example, if I purchase the domain randomwords.io, I can create as many email aliases I want and direct them to one email account.

  • hilton@randomwords.io

  • delta@randomwords.io

  • whateveraccount@randomwords.io

Having a complicated password and different email logins for each of your accounts will make it harder to get hacked.



Editorial Note: Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airlines or hotel chain, vendors or companies, and have not been reviewed, approved, or otherwise endorsed by any of these entities. 

UGC disclosure: These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.