Hackers booked tickets and redeemed upgrades using miles siphoned from the accounts of United Airlines MileagePlus and American Airlines AAdvantage members in December.
United Airlines and American Airlines have confirmed that cyber criminals, using stolen usernames and passwords, accessed frequent flyer accounts in December 2014. Once the thieves fraudulently obtained access to these accounts, miles were transferred, used to book trips and even redeemed for upgrades.
According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised. Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.
American began notifying affected customers by email on Monday. The airline says it will offer a free year of credit-watch service to those whose frequent flyer accounts have been violated.
Luke Punzenberger, a spokesman for United, said that fraudulent transactions were detected on as many as three dozen MileagePlus accounts. The airline began alerting members in late December, and Punzenberger said United would replace any stolen miles in affected accounts.
Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.