Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Air Canada | Aeroplan
Reload this Page >

Email regarding compromised App data

Email regarding compromised App data

Old Aug 29, 18, 4:23 am
  #1  
Original Poster
 
Join Date: Jan 2012
Location: YYZ
Posts: 59
Email regarding compromised App data

Hello all,

A few hours ago I received an email that appears to be legitimate from Air Canada regarding what seems to have been attempts to use the Air Canada app to obtain user data.
The email states that from August 22-24 there were unauthorised attempts to log in to various accounts using the app and some 20,000 customers have been affected, including myself.
It appears that all user information was able to be accessed including any information you added to the app beyond basic user data (name, email, phone number) which may include Aeroplan number, Passport information, Nexus, Known Traveller info etc
Credit Card information they advise was not accessible, nor was Aeroplan passwords.

The email states that all Air Canada mobile app accounts have been locked and the password must be reset with new more stringent requirements.

All in it looks very legitimate but phishing emails are getting more and more sophisticated. So before I go doing anything, has anyone else received the same and does anyone have any information whether this is legitimate or not. Don't see any mention of this on the Air Canada website or social media channels so I'm suspicious however on the app my account has been locked.
atco is offline  
Old Aug 29, 18, 4:24 am
  #2  
Suspended
 
Join Date: Mar 2017
Programs: AC
Posts: 2,167
I Recieved this as well. I doubt this breach occurs given my super secure password.
longtimeflyin is offline  
Old Aug 29, 18, 4:56 am
  #3  
 
Join Date: Mar 2009
Location: Sudbury-North Shore-Manitoulin
Programs: AP SPG HH
Posts: 625
Same here. I am waiting for an official public
statement from Air Canada before I do anything.
Northern Canuck is offline  
Old Aug 29, 18, 5:07 am
  #4  
Suspended
 
Join Date: Oct 2015
Location: Economy, mostly :(
Programs: Skywards Gold
Posts: 7,766
Seems like an easy way to check this would be to try log in to the app and see if your account is indeed locked. If so then reset it in the app, obviously don't click anything in the e-mail
Dolphin2 likes this.
skywardhunter is offline  
Old Aug 29, 18, 5:09 am
  #5  
 
Join Date: Oct 2013
Location: YEG
Programs: AC Lifetime SE100K, 3MM, SPG Lifetime Plat, Hertz PC, National Executive Elite
Posts: 2,901
It is legit. My FP app has not worked for days. I used the link in the letter to reset my password.
ffsim likes this.
YEG_SE4Life is offline  
Old Aug 29, 18, 5:26 am
  #6  
 
Join Date: Mar 2009
Location: Sudbury-North Shore-Manitoulin
Programs: AP SPG HH
Posts: 625
AC Facebook chat says it is legitimate.
Northern Canuck is offline  
Old Aug 29, 18, 5:30 am
  #7  
 
Join Date: Dec 2007
Location: Greater Metropolitan Area
Programs: Yes
Posts: 285
I requested a password reset from within the app - but I'm getting "The reset link is invalid. Please try again from the link sent in your Air Canada mobile+ reset email". That's the one I'm trying.

I then tried the earlier link from the "Phishing" email. Same error. So now neither reset link works.

Great job Air Canada - what a great way of improving security, by sending an unsolicited email including a password reset link that then doesn't work after you've tried resetting through the app, which in itself doesn't work...
Quark999 is offline  
Old Aug 29, 18, 5:31 am
  #8  
 
Join Date: Jan 2015
Location: YQB
Programs: AC SE100K-1MM, WS Gold, Bonvoy Gold, HHonors Diamond, VIA Premier, NEXUS/GE
Posts: 766
I received an email as well.
Not very reassuring. I would have hoped for something more informative.
DNAwizard is offline  
Old Aug 29, 18, 5:44 am
  #9  
Original Poster
 
Join Date: Jan 2012
Location: YYZ
Posts: 59
Yes confirmed legitimate with Twitter team, link here to official release
https://www.aircanada.com/ca/en/aco/home/book/travel-news-and-updates/2018/notice-air-canada-mobile-app-users.html

Pretty unhappy that this went of for up to 2 full days. Thankfully I had almost no information stored on the app. Also not very helpful to be told that my account "may" have been accessed. Surely they know if it was or wasn't. Whole different World between one or the other. If someone tried and failed to get in then its just a minor inconvenience resetting the password, if they did get in and accessed information that's another thing entirely.
Would like to know one way or the other.
atco is offline  
Old Aug 29, 18, 6:10 am
  #10  
 
Join Date: Jan 2015
Location: YQB
Programs: AC SE100K-1MM, WS Gold, Bonvoy Gold, HHonors Diamond, VIA Premier, NEXUS/GE
Posts: 766
Originally Posted by Quark999 View Post
I requested a password reset from within the app - but I'm getting "The reset link is invalid. Please try again from the link sent in your Air Canada mobile+ reset email". That's the one I'm trying.

I then tried the earlier link from the "Phishing" email. Same error. So now neither reset link works.

Great job Air Canada - what a great way of improving security, by sending an unsolicited email including a password reset link that then doesn't work after you've tried resetting through the app, which in itself doesn't work...
I used the link in the email as well and the first time I used it, I received an error message. The second time I clicked it, it takes me to the main AC.com webpage
Not very useful to say the least.
DNAwizard is offline  
Old Aug 29, 18, 6:28 am
  #11  
 
Join Date: Aug 2018
Programs: AMEX Centurion, UA Gold, Stariott Plat., HH Gold, National EE, Hertz PC
Posts: 270
Originally Posted by DNAwizard View Post
I used the link in the email as well and the first time I used it, I received an error message. The second time I clicked it, it takes me to the main AC.com webpage
Not very useful to say the least.
Same here. Seems like AC forgot to include Mobile+ when they re-hauled their website.
secretalcoholic is offline  
Old Aug 29, 18, 6:31 am
  #12  
 
Join Date: Oct 2013
Location: YEG
Programs: AC Lifetime SE100K, 3MM, SPG Lifetime Plat, Hertz PC, National Executive Elite
Posts: 2,901
Originally Posted by atco View Post
Also not very helpful to be told that my account "may" have been accessed. Surely they know if it was or wasn't. Whole different World between one or the other. If someone tried and failed to get in then its just a minor inconvenience resetting the password, if they did get in and accessed information that's another thing entirely.
Would like to know one way or the other.
My letter says

"Am I affected?
During our investigation, we determined during the time period from Aug. 22‑24, 2018, approximately one per cent or 20,000 user profiles of our 1.7 million Air Canada mobile App accounts may have been improperly accessed. We have since determined your user profile is among these accounts."

So, it looks like, if they can determine that your account was affected, they tell you. Perhaps, if they haven't detected improper activity in account, they can't necessarily prove it didn't happen.
YEG_SE4Life is offline  
Old Aug 29, 18, 6:45 am
  #13  
 
Join Date: Nov 2017
Posts: 3,359
Originally Posted by YEG_SE4Life View Post
My letter says

"Am I affected?
During our investigation, we determined during the time period from Aug. 22‑24, 2018, approximately one per cent or 20,000 user profiles of our 1.7 million Air Canada mobile App accounts may have been improperly accessed. We have since determined your user profile is among these accounts."

So, it looks like, if they can determine that your account was affected, they tell you. Perhaps, if they haven't detected improper activity in account, they can't necessarily prove it didn't happen.
Received similar email claiming to be from AC, forwarded it on to Phishing department since AC is never supposed to send these types of email out on the first place. Couple minutes later received another such email from them forcing me to do some more digging around. Upon re-checking that initial email I got it says the following:

"Am I affected?
As a result of our analysis, we are confident your account was not affected by these unauthorized attempts. As an additional security precaution however, we have locked all Air Canada mobile App accounts to further protect customer data.

To reactivate your Air Canada mobile App account, please see the instructions below or follow the prompts the next time you log into your Air Canada mobile App.

Your privacy and the protection of your data are extremely important to Air Canada. Our security is multi‑layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve. "

I'll update this later I guess (keeping it locked till I absolutely need to use that login feature).

Safe Travels,

James
FlyerTalker70 is offline  
Old Aug 29, 18, 7:06 am
  #14  
FlyerTalk Evangelist
 
Join Date: Sep 1999
Location: Toronto, Ontario, Canada
Programs: OWEmerald; STARGold; SPGPlat; PCPlat/Amb; HiltonDiamond; CarlsonGold; A|ClubPat; AirMilesGold
Posts: 38,106
Using the reset link in the reply email still just gets me to the regular booking screen with no way to get to a screen letting me reset my password. Major AC screw up!
Shareholder is offline  
Old Aug 29, 18, 7:10 am
  #15  
 
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
So I just tried to access the app and it prompted me to reset my password. However that just led me to the login screen and, of course, my old password did not work. There was no "Reset Password" function.

A short time later I got this email:

Dear Geoflying,

We noticed unusual login behaviour with your Air Canada mobile+ account, or you may have forgotten your password.

To ensure your safety and as a precaution, we've temporarily deactivated your account.

To reactivate your account, please click the link below to reset your password.
<link redacted>

Thank you,

Air Canada mobile+ Team
Clicking on the reset link (which appears to be a legit link on services.aircanada.com) just takes me to the main AC page as reported elsewhere in this thread

What a gong show
Geoflying is offline  

Thread Tools
Search this Thread
Search Engine: