Jan 13, 2015, 9:39 pm
Last edit by: JDiver
Signed in members with 90 days / 90 posts can edit this Wikipost; wiki contents may be printed by using the 
(lower right wiki corner)
Note: you are entitled to get a free credit from each Credit Reporting Agency(Equifax, Experian and TransUnion) report every twelve months without cause, and again for cause. You can request your credit reports from this (only) service set up by the CRAs here: https://www.annualcreditreport.com/index.action. This is the only sanctioned site; others will try to sell you products.
(lower right wiki corner)
United Airlines and American Airlines have confirmed that cyber criminals, using stolen usernames and passwords, accessed frequent flyer accounts in December 2014. Once the thieves fraudulently obtained access to these accounts, miles were transferred, used to book trips and even redeemed for upgrades.
According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.
...
Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.
Jeff Edwards, 12 Jan 2015, FlyerTalk.. Copyright © 2015 Flyertalk.com.
Link.
According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.
...
Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.
Jeff Edwards, 12 Jan 2015, FlyerTalk.. Copyright © 2015 Flyertalk.com.
Link.
Thomas said that American would pay for a credit-watch service for one year for affected customers. (See below e-mail; one year Experian credit monitoring.)
Both were quick to say that nobody hacked their systems — that thieves got usernames and passwords somewhere else and tried to use them to log into American’s AAdvantage and United’s MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.
The representatives said they did not know how thieves acquired the usernames and passwords. Thomas said American had referred the matter to the FBI.
In Part, from AP via Dallas Morning News: Link
Both were quick to say that nobody hacked their systems — that thieves got usernames and passwords somewhere else and tried to use them to log into American’s AAdvantage and United’s MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.
The representatives said they did not know how thieves acquired the usernames and passwords. Thomas said American had referred the matter to the FBI.
In Part, from AP via Dallas Morning News: Link
Just received the following email. I assume everyone affected will receive it. There are 2 attachments. 1) How to enroll in Experian, 2) generic information about steps to protect yourself against fraud and identity theft.
"Hello____,
We are writing to inform you about an incident involving unauthorized access to your online AAdvantage® account. An unauthorized third party recently used email addresses and passwords obtained from sources other than American Airlines to log into certain accounts, including yours. This could have resulted in access to the information that you see when you log in to your account, such as your name, email address, phone number, postal address, date of birth, the last four digits of your credit or debit card and its expiration date, your AAdvantage number, and information about the miles, mileage activity, the points that you have accrued, and the last four digits of passport numbers. In a small number of cases, known‑traveler IDs and redress numbers, as well as the last four digits of U.S. resident card numbers, also may have been compromised. Based on our review, the unauthorized access occurred on or about December 30, 2014.
Importantly, the affected accounts do not contain Social Security numbers or full credit or debit card numbers. We are in the process of working with U.S. federal law enforcement and are continuing to investigate the incident.
For your security, we have created a new AAdvantage account for you and a new AAdvantage number. We are in the process of transferring all of the miles from your old account to your new account. Once that merge is complete, your new number is emailed to you. You can use that new account number to log in to your account on aa.com. You will need to create a new password at that time, which you can do by clicking the "Forgot your password" link below the field where you would enter a password. You should not use the password you previously used for your AAdvantage account. Also, you should not use a password that you use for other online accounts.
Additionally, we have contracted with Experian to provide you a free one‑year membership in Experian's credit monitoring program. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on identification and resolution of identity theft. You may sign up for this service by following the instructions included in Attachment A. You will be able to access this offer at no cost until April 30, 2015.
Any unauthorized transfers of miles will be credited to your account. Nonetheless, we recommend that you carefully review your statements, account activity, and credit reports to help protect the security of your accounts. Attachment B contains more information about steps you can take to protect yourself against fraud and identity theft.
We apologize for any inconvenience this may have caused you. American Airlines takes information security very seriously and will continue to work to ensure that appropriate measures are taken to protect the personally identifiable information we maintain.
If you have further questions, please contact AAdvantage® Customer Service.
After business hours, please contact aa.com Web Services.
Regards,
Steven D. Leist
Chief Privacy Officer
Vice President – Technology Infrastructure
"Hello____,
We are writing to inform you about an incident involving unauthorized access to your online AAdvantage® account. An unauthorized third party recently used email addresses and passwords obtained from sources other than American Airlines to log into certain accounts, including yours. This could have resulted in access to the information that you see when you log in to your account, such as your name, email address, phone number, postal address, date of birth, the last four digits of your credit or debit card and its expiration date, your AAdvantage number, and information about the miles, mileage activity, the points that you have accrued, and the last four digits of passport numbers. In a small number of cases, known‑traveler IDs and redress numbers, as well as the last four digits of U.S. resident card numbers, also may have been compromised. Based on our review, the unauthorized access occurred on or about December 30, 2014.
Importantly, the affected accounts do not contain Social Security numbers or full credit or debit card numbers. We are in the process of working with U.S. federal law enforcement and are continuing to investigate the incident.
For your security, we have created a new AAdvantage account for you and a new AAdvantage number. We are in the process of transferring all of the miles from your old account to your new account. Once that merge is complete, your new number is emailed to you. You can use that new account number to log in to your account on aa.com. You will need to create a new password at that time, which you can do by clicking the "Forgot your password" link below the field where you would enter a password. You should not use the password you previously used for your AAdvantage account. Also, you should not use a password that you use for other online accounts.
Additionally, we have contracted with Experian to provide you a free one‑year membership in Experian's credit monitoring program. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on identification and resolution of identity theft. You may sign up for this service by following the instructions included in Attachment A. You will be able to access this offer at no cost until April 30, 2015.
Any unauthorized transfers of miles will be credited to your account. Nonetheless, we recommend that you carefully review your statements, account activity, and credit reports to help protect the security of your accounts. Attachment B contains more information about steps you can take to protect yourself against fraud and identity theft.
We apologize for any inconvenience this may have caused you. American Airlines takes information security very seriously and will continue to work to ensure that appropriate measures are taken to protect the personally identifiable information we maintain.
If you have further questions, please contact AAdvantage® Customer Service.
After business hours, please contact aa.com Web Services.
Regards,
Steven D. Leist
Chief Privacy Officer
Vice President – Technology Infrastructure
AAdvantage account data / security breaches Dec 2014 (merged)
Jan 19, 2015, 7:33 am
#181
FlyerTalk Evangelist
Join Date: May 2004
Location: DFW/DAL
Programs: AA Lifetime PLT, AS MVPG, HH Diamond, NCL Platinum Plus, MSC Diamond
Posts: 21,422
Jan 19, 2015, 7:36 am
#182
Suspended
Join Date: Mar 2001
Location: FIND ME ON TWITTER FOR THE LATEST
Posts: 27,730
Updated existing US reservations last week with new AA number and the US system does not recognize that I am PLT with AA. Therefore lost all benefits of my status including TSA prck when I flew US last week. Spent 4 hours on the phone with customer service (no joke) trying to get AA to work with US to restore my status on US side (apparently no issue with status on American side). Eventually said system glitch would be fixed over the wknd. I just checked it was not. Will be flying again this week with no status on US airways.... Beyond frustrated and angry at this point - loss of upgrade opportunities at T-24, priority boarding, etc etc.
Jan 19, 2015, 8:04 am
#183
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Yes, unless the hacker has changed your email address... As is reported many times here. Sending a message to the previous address is a very good approach to find out if someone is in the account getting ready to do something nasty. Now if they would only lockout any transactions long enough for you to get the message and maybe act upon it.
Jan 19, 2015, 8:04 am
#184
Join Date: Dec 2003
Location: PHL
Programs: AA EXP, Marriott Lifetime Plat, SPG Plat, AMEX Plat, Hertz PC, Travels too Much Platinum
Posts: 3,290
But yeah, if you use a poor master password, then the compromise of it can leave you extremely exposed.
Jan 19, 2015, 4:42 pm
#186
Join Date: Oct 2010
Programs: SPG Gold, Hyatt GP Platinum
Posts: 468
If miles were used to upgrade and book reservations, then shouldn't they know who stole them? Since booking flight reservations require you to use your real name, you'd think they could easily trace the crime back to the criminals. Am I missing something?
Jan 19, 2015, 5:00 pm
#187
FlyerTalk Evangelist
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Many sites have implemented something like Captcha to block programmatic access. Since many people will choose simple passwords so they can remember them it won't take long to break in. I've always had issue with sites that use email addresses as usernames, those are so easy to harvest on the net, especially if you can get access to a major email node. I bet sites like Yahoo! pay big bucks to keep hacks quiet. Heaven knows they get a lot of spam from/to Yahoo! accounts.
Until all systems are outfitted with bio scanners and they use something not easily duplicated (not fingerprints) security will be left to user passwords and very vulnerable. Fortunately there are packages to help strengthen passwords, but then if that gets hacked game on again.
Jan 19, 2015, 5:41 pm
#188
Join Date: May 2001
Location: Fort Worth, TX US
Programs: AAdvantage
Posts: 179
Follow-up email? Credit monitoring?
It's been ten days now since my wife's AA acct was compromised and she got the initial email, which ended with "We apologize for the inconvenience and will email you again soon with additional information."
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
Has anyone gotten follow-up emails or the promised credit monitoring? Do you think AA will tell us any more about this strange incident?
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
Has anyone gotten follow-up emails or the promised credit monitoring? Do you think AA will tell us any more about this strange incident?
Jan 19, 2015, 6:30 pm
#189
Suspended
Join Date: Mar 2001
Location: FIND ME ON TWITTER FOR THE LATEST
Posts: 27,730
It's been ten days now since my wife's AA acct was compromised and she got the initial email, which ended with "We apologize for the inconvenience and will email you again soon with additional information."
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
Jan 19, 2015, 8:45 pm
#191
Join Date: Dec 2004
Posts: 258
Updated existing US reservations last week with new AA number and the US system does not recognize that I am PLT with AA. Therefore lost all benefits of my status including TSA prck when I flew US last week. Spent 4 hours on the phone with customer service (no joke) trying to get AA to work with US to restore my status on US side (apparently no issue with status on American side). Eventually said system glitch would be fixed over the wknd. I just checked it was not. Will be flying again this week with no status on US airways.... Beyond frustrated and angry at this point - loss of upgrade opportunities at T-24, priority boarding, etc etc.
Jan 20, 2015, 8:12 am
#192
Join Date: Jun 2014
Programs: AA EXP, Marriott Gold, Hyatt Platinum, Hilton Gold, IHG Platinum
Posts: 15
It's been ten days now since my wife's AA acct was compromised and she got the initial email, which ended with "We apologize for the inconvenience and will email you again soon with additional information."
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
Has anyone gotten follow-up emails or the promised credit monitoring? Do you think AA will tell us any more about this strange incident?
No email since then. She had to call AA to get reservations and info moved to the new account. One CSR mentioned free credit monitoring, but we've heard nothing more about that, either.
Has anyone gotten follow-up emails or the promised credit monitoring? Do you think AA will tell us any more about this strange incident?
I was in the midst of a complicated itinerary (28 hrs of travel with a paid ticket linking up with an award ticket) when this went down. Had been trying to log into my account all morning and did not see the email until I boarded a 6 hour flight with no internets. Landed and spent the whole 2 hr layover trying to get my 10 ticketed future reservations back into my reservations list only to have only 3 show up. Did not receive the text message notifications with connecting gate or gate change info during this whole itinerary. On the 14th before I saw the AP news blurb and found this tread I sent a complaint to customer service asking for more information since I had not been contacted like the email stated and was wondering about cc info maybe being compromised. Not looking forward to calling again to get all of my reservations changed over to the new acct #.
Has anyone had any success with getting their past 6 months of summary data and mileage activity transferred to your new account?
Jan 20, 2015, 1:02 pm
#193
Join Date: Nov 2009
Posts: 204
This is absolutely ridiculous! I have been on the telephone for 45 minutes (still on hold) to add new Advantage number to current reservations. Had to speak to supervisor for them to apply stickers with the date originally applied, and not ONCE has anyone said "Sorry for your inconvenience". Now I am holding because my account says I'm a Citi credit card holder which I am not.
This is the WORSE Customer Service I have EVER experienced!
This is the WORSE Customer Service I have EVER experienced!
Jan 20, 2015, 3:01 pm
#194
Join Date: Sep 2008
Programs: American AAdvantage
Posts: 1,045
These data breaches must be a boon to the credit monitoring companies. Every time one occurs, folks get an offer for free credit monitoring.
Jan 20, 2015, 3:52 pm
#195
Join Date: Dec 2009
Location: PHL / NYC / PSA-BLQ
Programs: AA PPRO, Marriott/Hilton Gold, AMX-Plat, Global Entry
Posts: 3,109
Nothing is full proof but the #1 way accounts are compromised is reuse of ID(e-mail often) and password combinations. Hackers automatically try them at sites to see if they get in. What they are looking for are accounts where payment vehicles are stored. If that is true, they can order up a storm.