Yesterday night when I tried logging into my account, I found out that my username/password was not working. Then I tried MileageNumber and PIN to login, which worked. When I entered the account, I saw someone had hacked into my account and changed my email, login and password. This hacker also used 98400 miles to buy two watches.

I still don't know how it happened. I have reported it to Mileage Plus (who sent email to their Fraud department) and customer service promised me that miles will be returned. I also informed United Mileage Plus Merchandise department and they are able to cancel the orders (as it happened just 2 days back). As per them miles will be returned in 10-15 business day.

But I found very interesting/scary that someone changed my account email address/login/password and I was not notified. Normally every website basic security 101 is that if someone changes email address, send an email to old email notifying your email has changed. United should implement this a basic security measure immediately. Also, when I called Mileage plus, they don't have a dedicated Fraud department who can help. Customer service person was very helpful, but she was not able to reach Fraud department person, as that person was not "in today"!!

Now I have to wait for 10-15 days...and hopefully I will get my miles back.

I was able to find the address where merchandise was going to be shipped and it looks like a post box run from some home in NJ (I am in CA)!! Definitely have the email address used by the hacker (as my email was changed to this) and order confirmation was sent to email as well. Any idea what to do with this information ?

Anyway...keep an eye on account. Looks like some hacker is eyeing Mileage Plus accounts....