This content may no longer be relevant and is available for reference only. Visit Archive FAQs for more details.
I use a special email address for every website. For Marriott Insiders, lets call it WebSiteMarriottInsiders@mydomain.com.
I am now getting phishing emails to the above address. The email subject "WebSiteMarriottInsiders@mydomain.com You Are Exceeding Your Mail Limit." The email is signed "administrator". The email tries to get me to click a link to a bogus website.
Kaspersky warned me about the site when I tried to open it (giving a slightly modified URL).
It appears the Marriott Insiders website has either been hacked or one of the companies Marriott shares information with has been hacked.
Your website team can contact me if they want to discuss or have the evidence forwarded to them.
Hi timandjulz - to echo carat, thank you for bringing this to our attention. Your privacy and security is our top priority, and I want you to know that we never sell or share your information with third parties. I can tell you with certainty that there have been no member data hacks on the Marriott Rewards side. It would be a huge help to see the email you received. I'm sending you a direct message with instructions on where to send it. Thank you!
Again, sorry for the delay. I was traveling and didn't get the notification until late.
I can't edit the original post. But it is okay with me if you want to change the title to "Possible email leak from insiders site" or something similar. Descriptive but not as scary. Know what I mean?
I wanted to give a quick status update. The Marriott Community team has been in touch with me and they are taking this seriously. I think they have a solution and I feel my information will be secured on the website.
Meanwhile, if you decided to read this then you are probably somewhat concerned about security. So here are some tips:
1) Use a password manager and ALWAYS use a unique password on every website. I use Roboform but there are others like Lastpass. Password managers can generate long random passwords and give you one master password to use for all websites.
Password managers also let you use the longest, most complex password possible for every site without having to remember or write it down.
An extra benefit with password managers is they won't fill in websites that are built to fool you into providing passwords. For example, you might get an email link to "bank0famerica.com" (note that the number 0 is in place of the "o" letter.) A password manager will see the page isn't a match and won't fill it in.
2) Use two factor authentication whenever it is allowed. But especially for financial accounts. Two factor authentication is where you provide a password AND have to enter a number texted to a phone, etc. Whenever you are on your home computer you don't have to provide the second number. But you will if you use a new computer/browser.
3) If your company has a website like this then add a "honeypot" account. Set up a gmail account that looks normal and has random characters so it can't be guessed like "JaneMarriott.firstname.lastname@example.org" and then set up a forwarder to go to the administrator. If the email ever leaks you will get an email on that account.