Dec 29, 2014, 12:05 am
Last edit by: WineCountryUA
This thread to follow reports of MP accounts that actually have been hacked / improperly accessed. If you have missing miles and beleive you have been hacked, contact [email protected]
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
UA Account Hacked / Reports of Fraudulent Award Travel Redemption
Jan 7, 2014, 9:56 am
#61
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,909
From my own experience, the police don't care - they have better things to do. My garbage collector stole my identity via discarded mail. Over two year, he bought two cars, numerous credit cards, rented a house - he even got $20K of dental work under my name! He made the payments and then defaulted on everything, which I then found out. I filed a report in Chicago and I took everything to the Lansing Police Department where the guy lived. I had his real name, address and a thick file of everything and they didn't or couldn't do anything! The only thing one can do is be on top of everything and shred all documents. At least OP had no damage done to his credit.
I have a personal shredder at home and nothing goes in the garbage with identifying info, even if just my address, unless it has been shredded. Decent ones only cost $79 at lots of stores. Can get cheaper ones but they aren't very good.
Edit to add: And make sure your shredder is a crosscut one that basically turns papers into mincemeat. DON"T get one that just cuts paper into strips.
Last edited by Baze; Jan 7, 2014 at 4:59 pm
Jan 7, 2014, 10:07 am
#62
Senior Moderator
Join Date: Oct 2001
Location: San Francisco, CA
Programs: UA Plat/2MM [23-yr. 1K, now emeritus] clawing way back to WN-A List; MR LT Titanium; HY Whateverist.
Posts: 12,396
Moderator caution
Let's stay on the topic of hacking or protecting UA M+ accounts. Unduly personalized arguments between members have been deleted. Thanks, Ocn Vw 1K, Moderator.
Jan 7, 2014, 10:21 am
#64
Join Date: Apr 2000
Location: LAX and LHR. UA lifetime Gold 1.9MM 1K , DL Gold Medallion, HHonors Gold, Marriott Gold, Avis President's Club
Posts: 3,592
Neither of us has ever had a PIN. The website asks me from time to time to set up a PIN, and I have always ignored it, so as far as I am concerned (and I think UA too) I just don't have a PIN at all. If I do unknowingly have one, I have no idea what it is. Same thing when I access Mrs 1P's account: it asks me to set up a PIN and I just ignore it.
Jan 7, 2014, 10:29 am
#65
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,909
I don't think this is true. I am pmUA and at the merger continued to use my former password with my new MP #. No problems with that, it seems. The same goes for Mrs 1P.
Neither of us has ever had a PIN. The website asks me from time to time to set up a PIN, and I have always ignored it, so as far as I am concerned (and I think UA too) I just don't have a PIN at all. If I do unknowingly have one, I have no idea what it is. Same thing when I access Mrs 1P's account: it asks me to set up a PIN and I just ignore it.
Neither of us has ever had a PIN. The website asks me from time to time to set up a PIN, and I have always ignored it, so as far as I am concerned (and I think UA too) I just don't have a PIN at all. If I do unknowingly have one, I have no idea what it is. Same thing when I access Mrs 1P's account: it asks me to set up a PIN and I just ignore it.
Jan 7, 2014, 11:27 am
#67
Join Date: Feb 2011
Posts: 1,353
If your account came from the pmUA side and you never setup a PIN, you don't have one. I don't know what consequences it will cause but I seem to remember hearing you will be asked for it under some calls for award flights. I am trying to remember but was quite a while ago so the cobwebs may be making my memory fuzzy on it so hopefully someone can confirm or correct. But for basic online stuff you don't need a PIN.
As far as I can tell, you can log in today with any combination of:
Username OR email OR new MP ID OR pmUA MP #
AND
Password OR PIN
That's a lot of information that may me easier or harder to find, depending. It would be more secure to allow people to restrict those to the one they actually use.
Jan 7, 2014, 3:16 pm
#68
Join Date: Jan 2014
Posts: 2
Add me to the list. Found this thread and created an account to add to it because my account was hacked too.
I don't fly much anymore, so I'm not checking my account on a regular basis. In 3 transaction from early November to mid December, someone cleared my account of over 350,000 miles. Just discovered it today. 3 separate transactions for "Mileageplus Merchandise Redemption". I don't have any idea what merchandise they got as the links are clickable.
Called United (got through to a live person quickly, surprisingly) and she wasn't able to really do much for me, but told me to send an email with the details to [email protected] and they'd get back to me in 7-10 days. I'll update with any updates.
If anyone has any other suggestions on what type of follow up I should be doing, let me know. I haven't gotten any response (not even a "hey, we got your email") yet.
I have changed my password & pin, for whatever good that does. Also changed passwords on a lot of other accounts that I have just to be safe.
I don't fly much anymore, so I'm not checking my account on a regular basis. In 3 transaction from early November to mid December, someone cleared my account of over 350,000 miles. Just discovered it today. 3 separate transactions for "Mileageplus Merchandise Redemption". I don't have any idea what merchandise they got as the links are clickable.
Called United (got through to a live person quickly, surprisingly) and she wasn't able to really do much for me, but told me to send an email with the details to [email protected] and they'd get back to me in 7-10 days. I'll update with any updates.
If anyone has any other suggestions on what type of follow up I should be doing, let me know. I haven't gotten any response (not even a "hey, we got your email") yet.
I have changed my password & pin, for whatever good that does. Also changed passwords on a lot of other accounts that I have just to be safe.
Jan 7, 2014, 6:12 pm
#69
Join Date: May 2011
Posts: 5,814
BWI
ORD
LGA
EWR
Jan 7, 2014, 6:14 pm
#70
Join Date: Aug 2011
Programs: UA 1K
Posts: 8,634
I really appreciate you taking the time to post these. [Moderator edit per Post 62, above.]
Last edited by Ocn Vw 1K; Jan 7, 2014 at 9:49 pm Reason: See note above.
Jan 8, 2014, 6:53 am
#71
Original Poster
Join Date: Nov 2011
Location: YUL
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 622
So, an update to this:
Will call up Manila on Friday and see what's going on. I'd really hate to have to cancel my company CC in the middle of a trip and charge all my expenses to my personal CSP
- $6000 has been refunded for the 3x revenue tickets purchased on my CC.
- The taxes/fees for the award tickets totaling $230 have not been refunded yet.
- The miles for the hotel redemption have not yet been refunded.
- My GPUs/RPUs have not been refunded (I thought they can re-deposit these immediately?)
Will call up Manila on Friday and see what's going on. I'd really hate to have to cancel my company CC in the middle of a trip and charge all my expenses to my personal CSP
Jan 8, 2014, 7:17 am
#72
Join Date: Apr 2011
Location: SIN
Programs: UA 1K MM, SQ PPS, CX Silver, Accor Platinum, Marriott Gold, SPG Silver
Posts: 679
So, an update to this:
Will call up Manila on Friday and see what's going on. I'd really hate to have to cancel my company CC in the middle of a trip and charge all my expenses to my personal CSP
- $6000 has been refunded for the 3x revenue tickets purchased on my CC.
- The taxes/fees for the award tickets totaling $230 have not been refunded yet.
- The miles for the hotel redemption have not yet been refunded.
- My GPUs/RPUs have not been refunded (I thought they can re-deposit these immediately?)
Will call up Manila on Friday and see what's going on. I'd really hate to have to cancel my company CC in the middle of a trip and charge all my expenses to my personal CSP
Not surprising that it's the UA part which is taking the most time. Credit card companies are used to fraud and know they need to refund legally and contractually. Any refund on UA tends to take time (and aggressive follow up sometimes).
GPUs CAN be refunded literally immediately (often while still on the phone) under normal circumstances such as not clearing, though in my experience, the clock only starts when calling them. Were the GPU's already used or still pending? If already used, I could see a delay while they look into the details, but otherwise I would keep calling until they are back (I only hope the fraud department has some clue as to how to redeposit them).
As others have noted, this is incredibly ballsy. Were the flights originating in the US? Did they have a name etc... associated with them? I would think the FBI would be interested in this, as it is likely interstate (if not international) fraud at a bare minimum.
Jan 8, 2014, 8:03 am
#73
FlyerTalk Evangelist
Join Date: Sep 2007
Location: SJC, SFO, YYC
Programs: AA-EXP, AA-0.41MM, UA-Gold, Ex UA-1K (2006 thru 2015), PMUA-0.95MM, COUA-1.5MM-lite, AF-Silver
Posts: 13,437
I don't use a 4 digit pin, I use a password, for my MP account.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
I stopped using my password in March 2012 when it was apparent that booking online using a password meant that bookings would never ticket.
The only recourse is to log in several times a day to united.com until one has burned all their miles.
Jan 8, 2014, 8:30 am
#74
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,139
Jan 8, 2014, 7:24 pm
#75
Original Poster
Join Date: Nov 2011
Location: YUL
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 622
Glad to hear progress. Personally, I would cancel the credit card anyway (or at the very least, check it like a hawk for any other charges aside from UA related). I'm curious- was the credit card reimbursement a credit card fraud contest, or UA refunding the money? If credit card, I would contest the charges on the award ticket taxes as well (if you haven't already).
Not surprising that it's the UA part which is taking the most time. Credit card companies are used to fraud and know they need to refund legally and contractually. Any refund on UA tends to take time (and aggressive follow up sometimes).
GPUs CAN be refunded literally immediately (often while still on the phone) under normal circumstances such as not clearing, though in my experience, the clock only starts when calling them. Were the GPU's already used or still pending? If already used, I could see a delay while they look into the details, but otherwise I would keep calling until they are back (I only hope the fraud department has some clue as to how to redeposit them).
As others have noted, this is incredibly ballsy. Were the flights originating in the US? Did they have a name etc... associated with them? I would think the FBI would be interested in this, as it is likely interstate (if not international) fraud at a bare minimum.
Not surprising that it's the UA part which is taking the most time. Credit card companies are used to fraud and know they need to refund legally and contractually. Any refund on UA tends to take time (and aggressive follow up sometimes).
GPUs CAN be refunded literally immediately (often while still on the phone) under normal circumstances such as not clearing, though in my experience, the clock only starts when calling them. Were the GPU's already used or still pending? If already used, I could see a delay while they look into the details, but otherwise I would keep calling until they are back (I only hope the fraud department has some clue as to how to redeposit them).
As others have noted, this is incredibly ballsy. Were the flights originating in the US? Did they have a name etc... associated with them? I would think the FBI would be interested in this, as it is likely interstate (if not international) fraud at a bare minimum.
Either way, I called the CC agents up and they put a note on my account just in case. I can call up and list the charges as fraud, but then they'd have to close the account and whatnot. I don't see it being a real fraud issue with the card as .bomb only stores the last 4 digits of the card anyway and it is now deleted from my stored cards.
I will have to call up on Friday to follow up with the open items and GPUs/RPUs. They used the for domestic flights as well as for international flights (to/from HKG). The fraud agent was a Manila call center rep who had done reservations and whatnot before, so she was familiar with shares.
Not sure if UA will follow up regarding this, but I honestly couldn't really be bothered as long as I get all my $$ and miles back.