Hilton Hotels & Resorts recently offered Hilton HHonors members 1,000 free awards points to those who agreed to change their passwords for the online service. The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder of security consulting firm Bancsec. The two found that once theyd logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. Hiltons site didnt require logged-in users to re-enter their current passwords before picking a new one.”]
Source: https://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/