# AGR Account Hacked (Mine, Maybe Yours?)



## Dovecote (Aug 24, 2016)

Upon checking the posting of points to my account my address in my AGR profile was incorrect. It showed an address from Massachusetts. I then checked my wife's profile and her address was incorrect as well (it showed Memphis, TN). Both addresses were corrected yesterday in the AGR profile on my pc. Upon checking them today, mine was correct but wife's address showed Newport Beach, CA.

I called AGR to inform them of the address error and of my concerns. The agent was surprised and spoke to the lead supervisor. The agent was told that concerns such as mine have been noted and informed me that accounts have been hacked. I was told to change the password to the accounts in question. Hopefully this will be the end of this for me.

Here is hoping that your accounts have not been hacked.


----------



## the_traveler (Aug 24, 2016)

I just looked at my account and it also had the wrong address.

When I called AGR to tell them, they asked if the Parkersburg, PA address was my former address. (I have no idea where that even is!) It got "corrected" (back) to the correct address.


----------



## pennyk (Aug 24, 2016)

Mine was incorrect also. They had me in New Jersey. I was asked many questions to determine that I was the correct person. I was told that this was not a hack, but a glitch that occurred when AGR and Amtrak accounts were merged. My password was reset.


----------



## ParanoidAndroid (Aug 24, 2016)

the_traveler said:


> I just looked at my account and it also had the wrong address.
> 
> When I called AGR to tell them, they asked if the Parkersburg, PA address was my former address. (I have no idea where that even is!) It got "corrected" (back) to the correct address.


Come on . . . Parkesburg PA is an Amtrak station on the Keystone route! 

My account was correct, for some reason.


----------



## jacorbett70 (Aug 24, 2016)

My address showed as one in Bryn Mawr, PA, so I just changed my password too.

Edit to add: The snail mail version of the targeted Double TQP offer just arrived from AGR with the correct address.


----------



## jis (Aug 24, 2016)

No problem with my address. Exactly as I had entered it.


----------



## SarahZ (Aug 24, 2016)

Rats. I'm still in Battle Creek.

I want the hackers to move me somewhere fun.


----------



## Ryan (Aug 24, 2016)

I still apparently live here.

Stupid Amtrak, can't even screw up properly and leaves me out. They can't do anything right!


----------



## the_traveler (Aug 25, 2016)

SarahZ said:


> Rats. I'm still in Battle Creek.
> 
> I want the hackers to move me somewhere fun.


You mean Nome, Alaska? :giggle:


----------



## tp49 (Aug 25, 2016)

Ryan said:


> I still apparently live here.
> 
> Stupid Amtrak, can't even screw up properly and leaves me out. They can't do anything right!


I hear if you complain to Customer Relations about this egregious oversight on Amtrak's part you'll get a voucher good for future travel, some overpriced cafe car fare or a breakfast meal in the dining car for your pajama clad chihuahua. :giggle: :giggle: :hi:


----------



## Dovecote (Aug 25, 2016)

pennyk said:


> Mine was incorrect also. They had me in New Jersey. I was asked many questions to determine that I was the correct person. I was told that this was not a hack, but a glitch that occurred when AGR and Amtrak accounts were merged. My password was reset.


I was initially told by the first AGR agent on Tuesday about the "glitch" when the AGR and Amtrak accounts were merged back in January. The second AGR agent on Wednesday questioned the initial explanation and was informed of the hack after discussing the matter of the lead supervisor. Let's hope our addresses are correct today!


----------



## pennyk (Aug 25, 2016)

Dovecote said:


> pennyk said:
> 
> 
> > Mine was incorrect also. They had me in New Jersey. I was asked many questions to determine that I was the correct person. I was told that this was not a hack, but a glitch that occurred when AGR and Amtrak accounts were merged. My password was reset.
> ...


My address is correct this morning. I will check again later. Thanks for the heads up.


----------



## JayPea (Aug 25, 2016)

Same address I've had for 15 years. Rats!


----------



## Mystic River Dragon (Aug 25, 2016)

I just saw this, and my address is correct as of this morning. If they sent me somewhere exciting before returning me to New Jersey, I missed it!


----------



## jis (Aug 25, 2016)

I am wondering why someone would take the trouble to hack into an account like AGR and just change the snail mail address and nothing else. Maybe they thought that AGR is another front for the Social Security Administration or IRS. 

My guess at present is on a goofup in merging AGR and Amtrak.com accounts together. Happened to just one of the batches during the merge process.


----------



## the_traveler (Aug 25, 2016)

It doesn't seem likely that this happened "during the merge". My address was fine last week, or whenever I looked last.


----------



## jis (Aug 25, 2016)

the_traveler said:


> It doesn't seem likely that this happened "during the merge". My address was fine last week, or whenever I looked last.


Or some other internal tinkering. Never underestimate the ingenuity of IT system managers at screwing up things internally.

As of now there are no reports of any recent systematic cyber attack on Amtrak. Maybe we will see some soon if this is serious.


----------



## AmtrakBlue (Aug 25, 2016)

My thought is the supervisor who said it was hacked either had no clue what happened or was trying to put the blame outside of Amtrak.


----------



## Acela150 (Aug 25, 2016)

SarahZ said:


> Rats. I'm still in Battle Creek.
> 
> I want the hackers to move me somewhere fun.


Yeah... I'm still in Philly...

They can move me to Intercourse PA... At least that's in Lancaster county.


----------



## afigg (Aug 26, 2016)

After noticing this thread, I tried to log in to my AGR account. Count not as account was locked out. Called the 800 number and after verifying my identity, they sent me an email to reset my password. All of the account info such as address and AGR points was correct, so I did not have to fix anything other than to create a new password.

If anyone has not logged into their Amtrak/AGR account recently, probably a good idea to do so in case you need to reset the password prior to booking a trip or departing for one.


----------



## jis (Aug 26, 2016)

Just logged into my account. No problem, no lock up, no need for new password. Maybe a specific batch of accounts were affected.

Dropbox for example is requiring only a specific batch of accounts to renew and change their Passwords because apparently inadvertently they made an old password file publicly available somehow that contained a specific set of accounts.


----------



## bmjhagen9426 (Aug 26, 2016)

Just logged in to my AGR account. It appears that my AGR account is unscratched, with the exception of account merger with the Amtrak reservation profile, and a member PIN (don't know what that PIN is for). Address is still the same, login info still valid, and was never contacted by AGR about the hacking.


----------



## NW cannonball (Aug 27, 2016)

bmjhagen9426 said:


> Just logged in to my AGR account. It appears that my AGR account is unscratched, with the exception of account merger with the Amtrak reservation profile, and a member PIN (don't know what that PIN is for). Address is still the same, login info still valid, and was never contacted by AGR about the hacking.


According to my Android app, the PIN is something you can set up for added security when phoning AGR -- so I created a PIN. Don't know how much security a PIN adds to phone transactions? Do know a major rule about online Internet and other computer system passwords -- "never send or store passwords in the clear" -- so AGR phone agents can't , won't, and shouldn't ask for your online account password.

Checked my AGR account both by Android app and internet, no changes since July, did a few updates while online.


----------



## bmjhagen9426 (Aug 27, 2016)

I'm aware of "no password in the clear". All sites I log in have the password "salted". As for "never send or store passwords in the clear", I also see that employers should follow that rule when hiring employees (i.e. Employees being forced to supply their Facebook password).


----------



## the_traveler (Oct 1, 2016)

I got a call yesterday from AGR about this problem.

The agent apologized for the inconvenience. He said it was a software problem, and that some accounts were affected but others were not. He specifically said that the accounts were not hacked or anything like that.


----------



## Ryan (Oct 1, 2016)

bmjhagen9426 said:


> All sites I log in have the password "salted".


I wonder how you actually verify that...


----------



## me_little_me (Oct 2, 2016)

My penthouse in the Ritzy part of Manhattan was changed to some town an hour from the nearest station. Worse, my yacht won't fit on the local lake. On the other hand, my private jet can stay at the local airport and my private railcars are stored not so far away.


----------



## Steve4031 (Oct 2, 2016)

Mine is okay too. Thanks for the heads up anyway.


----------



## Acela150 (Oct 15, 2016)

bmjhagen9426 said:


> I'm aware of "no password in the clear". All sites I log in have the password "salted". As for "never send or store passwords in the clear", I also see that employers should follow that rule when hiring employees (i.e. Employees being forced to supply their Facebook password).


If an employer asked for my Facebook and other social media account passwords I would tell them no. Cause IINM that's a federal crime. I'm ok with them doing a quick look at my page. But asking for passwords is to far. I'll also add that if they're asking for passwords, they're probably doing a lot more then looking into your social media. They're probably doing a lot of spying that they don't want you to know about.


----------

