0 min left

United & American Frequent Flyer Accounts Hacked, Miles Stolen in Cyber Attack


Hackers booked tickets and redeemed upgrades using miles siphoned from the accounts of United Airlines MileagePlus and American Airlines AAdvantage members in December.

United Airlines and American Airlines have confirmed that cyber criminals, using stolen usernames and passwords, accessed frequent flyer accounts in December 2014. Once the thieves fraudulently obtained access to these accounts, miles were transferred, used to book trips and even redeemed for upgrades.

According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised. Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.

American began notifying affected customers by email on Monday. The airline says it will offer a free year of credit-watch service to those whose frequent flyer accounts have been violated.

Luke Punzenberger, a spokesman for United, said that fraudulent transactions were detected on as many as three dozen MileagePlus accounts. The airline began alerting members in late December, and Punzenberger said United would replace any stolen miles in affected accounts.

Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.

[Photo: iStock]

Comments are Closed.
Mbenz January 14, 2015

I am assuming they would have sold the miles to an unsuspecting 3rd party? otherwise it is obviously incredibly easy to trace...

alphaod January 14, 2015

It doesn't help that people can log in with a 4 digit pass code.

cestmoi123 January 13, 2015

Third party site probably means that, in one of the other breaches of late, people were using the same username and password as on the AA or UA sites, so it doesn't necessarily mean that the breach was at a company that had anything to do with AA or UA. While having a secure password is important, having DIFFERENT secure passwords is equally, if not more, important, so that if an attacker gets access to your login at site A, they can't then use that to log into site B.

vtmaa January 13, 2015

not just AA and UA. my DL account was hacked and 70000 miles stolen for an award ticket. DL returned the miles immediately and are investigating.

PeggyPecan January 13, 2015

This seems to be Uniteds way of operating anymore. It's never their fault.