Hyatt is sending some customers enrolled in their loyalty points program, Gold Passport, notification of a possible breach of their information. As with some other loyalty card breach reports we’ve seen recently, Hyatt’s notification indicates that there is no evidence that their system was breached and that the miscreants may have obtained customers’ login credentials from other sources or by other means.
Hyatt is requiring a password reset for affected accounts.
Here’s a screencap of the notification, courtesy of Suzanne Widup and VERISDB:
“As part of Hyatt Gold Passport’s routine monitoring of member account activity, we found a small number of accounts were accessed by an unauthorized individual utilizing member usernames and passwords. We have no reason to believe, at this time, the login information was obtained through Hyatt Gold Passport, and we continue to analyze and monitor our systems. We have reached out to members we know have been affected to resolve any concerns.
To enhance your account security, we are resetting all passwords connected to a username. The next time you sign in to your Hyatt Gold Passport account, you will need to change your password by following the directions below. We strongly recommend that you reset your username and password to a unique combination not used elsewhere. You will not be able to access your account online until you change your password.
To change your Hyatt Gold Passport password:
1) Visit goldpassport.com
2) Click “Forgot Password” in the sign-in section and follow the directions
3) Look for a temporary password sent to your email and follow the directionsWe apologize for any inconvenience. If you have any questions, please call us anytime at 800.228.3360 in the US and Canada or contact Hyatt in your region. ”
The notification does not say how or if the information was misused in any way, nor how many members, total, are being notified.
UPDATE: See the comment below from “JJ,”. In separate communication, JJ also informs DataBreaches.net:
And when I reset my password, it had this wonderful note:
“To access all of the exclusive features inside goldpassport.com, follow the steps to create your new password. Your new password should be 6 to 35 letters and/or numbers. Special characters such as @#$%^&*:;/ are not permitted.”
Jeez. Why would they prohibit special characters? How much time have they now saved hackers by doing that?
UPDATE 2: Steve Ragan has the numbers on CSO Online:
On Tuesday, Hyatt alerted some 200 customers that their Gold Passport account had been flagged for suspicious activity, while the other 18 million members have had their account passwords reset out of an abundance of caution.
“To enhance your account security, we are resetting all passwords connected to a username.”
Ummm, aren’t all passwords connected to a username? I’m pretty sure a single username could not have multiple passwords associated with it. With all of the PR and legal review that email had to undergo, that is really strange wording.
My account was setup five months ago and only accessed between the end of November and early January for a vacation. The username and password were not used on any other site and was only used from my home laptop. I’m glad I did not have a credit card on file with them. I think there will be a Paul Harvey moment in the future.