Just in case you also received an email telling you that your account information is currently secure, but a "small" number of other people's information was accessed, so you should click the link to change your password just in case...
This email MAY BE TRUE. I logged onto marriott.com, found the customer care number and called. They did send emails to "some" of their members. It is ALWAYS a good idea to type in the web address yourself, and NEVER click on links within emails that claim to be security related, or are asking for login and account information.
The email I received said:
The security of your Marriott Rewards® member account is of the utmost importance to us. There have recently been attempts made to gain unauthorized access to a small number of members' online accounts. Although your account was not included in these attempts, as a precaution, we ask that you visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account:
Our Data Privacy and Protection team has been working diligently to implement safeguards to block these attempts and maintain the ongoing security of all member accounts.
These types of online attacks become possible when individuals use the same email address and password combination for multiple online accounts. The email address and password combination becomes more susceptible to being collected via external sources and then used in an attempt to gain unauthorized access to other online accounts, such as your Marriott Rewards account.
If you have any questions, please call Marriott Rewards Guest Services at 800-952-8876 for assistance.
We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our guests entrust to us. Thank you for your prompt attention to this important notice.
Marriott Rewards Guest Services
My email did not have the same URL for each link. From what I can gather on the internet, it looks like some emails are legitimate, and some are indeed phishing emails. As always, NEVER click on links within an email if you expect to enter your login or account information. ALWAYS go directly to the website yourself.
Little more info. After doing some more research, it appears that there are both Legitimate and Phishing emails in circulation right now. NEVER click on links related to account information. ALWAYS go directly to the website to log in, change passwords, etc.
Probably a good idea to change your password periodically anyway. Just be sure to go to Marriott.com directly and not via any links in emails.
Good info. I too went directly to the Marriott web site to find out more rather than click on the link. Whenever I am prompted to use a link to log in or change a password, I am suspicious.Better to be safe than sorry.
Changing passwords frequently is a good security measure, but doing so because an email suggested it should raise a red flag.
I got the email and when I saw their reply email was to an "email.com" address, I call MR # on back of my card. Since my name was used in greeting, I felt it might be legit but still called.
The CSR said the email was legit and suggested I change my login to MR. I changed to a number/ letter 9 digit PW that I use for membership reward sites.
As a few have mentioned, the email is legit and a little caution does go a long way. But for those that don't click the email links, you can sign directly into Marriott.com to change your password. And to improve security, you do have the option of passwords longer than 6 characters and we're recommending a minimum of an 8-character password.
Thank you for responding on an issue of significance, I appreciate the peace of mind (especially coming after posts a few weeks back about points disappearing). As the champion of technological numbnuts, who doesn't know a URL from an Underwriters Laboratory, I was grateful for bear4youth's advice which came right around the time I received the e-mail. If not clicking on the link in an e-mail is sound advice (which it is) wouldn't it also be a sound practice for firms like Marriott to not include them in legitimate requests and instead direct us to marriott.com? (especially when, like posters noted above the password format was changed). Please consider that in the future.
Isn't that the truth? Any corp. messaging center should know better than that, especially when they know a scam is going on at the same time. And then for them to say it might or might not be legit!!! That alone shows the mentality of those in charge. It's as if they've outsourced to a foreign country that has no business experience.