I learned at 7am today that someone hacked my account when my password was failing and I saw emails from 6am that my password and account info was updated.

I was able to get back in with my security questions and found a name, address, phone and email in the UK was attached to my account. I changed my info back, updated my password and security questions.

Points were not taken and future trips were still in tact. It was at this point I searched for MFA options but, as mentioned upthread, this is not a priority for AA.

Did I catch the issue quick enough (1 hour) that the hacker didn’t have time to muck with my account? Or should I be worried they may already have info they need to call in and redeem trips over the phone?