Email regarding compromised App data
Aug 29, 2018, 9:05 am
#46
Join Date: Sep 2009
Location: YYZ
Programs: AC SE MM, Bonvoy Plat, Hilton G,Nexus, Amex MR Plat,IHG Plat
Posts: 4,422
So it appears that 20K approx accounts were hacked. Assuming this number is correct. OR as AC says, may or may not have been hacked. More important is it seems that everything except credit cards may have been hacked. This includes Name, DOB, email address, phone number, Nexus/passport info, etc. See below. Just fricking awesome.
What information may have been accessed?
Basic profile data stored on the Air Canada mobile App account includes your name, email address, and telephone number.
Information that you may have added to your profile includes: Aeroplan number, Passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.
What information may have been accessed?
Basic profile data stored on the Air Canada mobile App account includes your name, email address, and telephone number.
Information that you may have added to your profile includes: Aeroplan number, Passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.
Aug 29, 2018, 9:11 am
#47
Join Date: Apr 2008
Location: Ottawa
Programs: Altitude E50K / *G
Posts: 924
Good idea but no. Aeroplan/ACAltitude/eUpgrade password unchanged. I tested the sites before everything went down.
I was able to login into mobile+ and activate the touch ID using the new password. But I still get asked to change it!
I have no idea what is going on but I won't change anything anymore for the time being.
I was able to login into mobile+ and activate the touch ID using the new password. But I still get asked to change it!
I have no idea what is going on but I won't change anything anymore for the time being.
The Aeroplan app tells me that they are having technical issues
It's a good job I don't have to book a flight today!
Aug 29, 2018, 9:12 am
#48
FlyerTalk Evangelist
Join Date: Sep 1999
Location: Toronto, Ontario, Canada
Programs: OWEmerald; STARGold; BonvoyPlat; IHGPlat/Amb; HiltonGold; A|ClubPat; AirMilesPlat
Posts: 38,186
Tweet response from AC is their system is being flooded: “As many people are trying to access the same page at the same time, it generates a lot of traffic at the same time. I suggest trying to access your account later”.
BTW just received an email from AC inviting me to register to win gift cards! Maybe this should have been put off until we can fix our mobile passwords!
BTW just received an email from AC inviting me to register to win gift cards! Maybe this should have been put off until we can fix our mobile passwords!
Aug 29, 2018, 9:20 am
#49
Suspended
Join Date: Nov 2007
Location: YVR
Programs: Air Canada Super Elite 2+ Million Miles
Posts: 2,478
Well, AC used the word "confident" in their notice about how many affected.
Rather, AC did NOT use the word "certain", which would provide far more clarity.
btw...while "confident" means "self-assured", but since AC pledges all over the place to take care of the data entrusted to them, how can any customers be confident about AC promises going forward???
I agree with @Stranger, AC needs feet held to the fire either via the Privacy Commissioner of Canada, or even via the courts, if applicable.
Rather, AC did NOT use the word "certain", which would provide far more clarity.
btw...while "confident" means "self-assured", but since AC pledges all over the place to take care of the data entrusted to them, how can any customers be confident about AC promises going forward???
I agree with @Stranger, AC needs feet held to the fire either via the Privacy Commissioner of Canada, or even via the courts, if applicable.
Aug 29, 2018, 9:36 am
#50
Join Date: Aug 2013
Location: YVR - MILLS Waypoint (It's the third house on the left)
Programs: AC*SE100K, wood level status in various other programs
Posts: 6,226
Not only was/is it insecure, it doesn't scale either. Simply brilliant.
I'm very happy that whoever designed this and thought it was good is not on any of my teams.
As an aside, I wonder how their GDPR audit is going ...
Aug 29, 2018, 9:37 am
#51
Join Date: Apr 2016
Location: YYZ
Programs: TK *G
Posts: 3,099
I wish AC can provide more info about what part of the system got accessed and what exactly did this unauthorized access happen.
Someone guessed the password and private keys to database containing user info? Someone found a way to compromise the normal authentication flow of the app? Someone somehow guessed the password of 20K users?
Someone guessed the password and private keys to database containing user info? Someone found a way to compromise the normal authentication flow of the app? Someone somehow guessed the password of 20K users?
Aug 29, 2018, 9:37 am
#52
Join Date: Mar 2005
Programs: E35
Posts: 139
It's a good reminder to check if your account has been part of a larger hack as well (LinkedIn or Adobe are two of the big ones). These guys aren't "hacking" AC, they're just running massive login lists against the app to see who still uses the same password on multiple sites. https://haveibeenpwned.com/ is a good place to check.
That being said, it's on AC to monitor their web traffic for this sort of high volume login attack. I got an email from PC Optimum this week for the same issue, so I'm guessing these guys were taking a run at a bunch of retailers.
That being said, it's on AC to monitor their web traffic for this sort of high volume login attack. I got an email from PC Optimum this week for the same issue, so I'm guessing these guys were taking a run at a bunch of retailers.
Aug 29, 2018, 9:41 am
#53
Join Date: Aug 2013
Location: YVR - MILLS Waypoint (It's the third house on the left)
Programs: AC*SE100K, wood level status in various other programs
Posts: 6,226
Another reason to ensure that EVERY password is unique. And use a password manager if you need to.
Of course, all of us here do this already, but I also still know lots of 'IT professionals' who rely on the re-use of the same, arguably complex passwords across multiple accounts.
Of course, all of us here do this already, but I also still know lots of 'IT professionals' who rely on the re-use of the same, arguably complex passwords across multiple accounts.
Aug 29, 2018, 9:41 am
#54
Join Date: Mar 2007
Location: Charlottetown, PE YYG
Programs: AC*SE, Bonvoy Lifetime Titanium
Posts: 303
and why did it take 5 days to advise?
Did AC notice right away and tried to keep this quiet, but found scope too big?
Did AC NOT notice and were asleep at the switch?
As my notice says NOT AFFECTED, I do NOT have standing to complain, but for those of you who have received notice that your affected, may I suggest you make a complaint to the Privacy Commissioner of Canada.
https://www.priv.gc.ca/en/for-individuals/
And let's hang on as just because AC says only 20,000 accounts affected, who knows once this gets more scrutiny.
Did AC notice right away and tried to keep this quiet, but found scope too big?
Did AC NOT notice and were asleep at the switch?
As my notice says NOT AFFECTED, I do NOT have standing to complain, but for those of you who have received notice that your affected, may I suggest you make a complaint to the Privacy Commissioner of Canada.
https://www.priv.gc.ca/en/for-individuals/
And let's hang on as just because AC says only 20,000 accounts affected, who knows once this gets more scrutiny.
Aug 29, 2018, 9:54 am
#56
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
I got an email saying my account was one of the breached accounts and they they have my passport, nexus, personal information excluding credit cards. I will be making a complaint... at the very least Air Canada should offer to pay for credit score/report monitoring.
Hope this is helpful information for those who have had their accounts breached - it took me a while to find it so my intent is to save you that hassle
Aug 29, 2018, 9:58 am
#57
Join Date: Aug 2013
Location: YVR - MILLS Waypoint (It's the third house on the left)
Programs: AC*SE100K, wood level status in various other programs
Posts: 6,226
Brian Krebs has this good piece on why credit monitoring is less than effective. This Q&A was was triggered by the Equifax breach, but it's still good info to have.
Sadly credit security freezes are not available in Canada because the banks simply don't want to do it.
Aug 29, 2018, 10:12 am
#59
Join Date: Mar 2007
Location: Charlottetown, PE YYG
Programs: AC*SE, Bonvoy Lifetime Titanium
Posts: 303
I just called the phone number that was in my email from Air Canada telling me I had one of the breached accounts. The person was very misleading - told me the only thing they had was my name, phone number and email. I said what about passport, nexus, etc? He said "That was all encrypted... nothing they can do with it?. When I asked why they said the passport info was low risk - why would it be any risk if they can't get the info?? Then he started to back track and said that yes - if your profile had Aeroplan number, Passport number, NEXUS number, Known Traveler Number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence - then they did get that info. I was told to change my aeroplan password immediately as someone may take my points. ... - it didn't say anything about that in the email. Who is running this thing??
Aug 29, 2018, 10:13 am
#60
Join Date: Sep 2009
Location: YYZ
Programs: AC SE MM, Bonvoy Plat, Hilton G,Nexus, Amex MR Plat,IHG Plat
Posts: 4,422
I got an email saying my account was one of the breached accounts and they they have my passport, nexus, personal information excluding credit cards. I will be making a complaint... at the very least Air Canada should offer to pay for credit score/report monitoring.