Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > American Airlines | AAdvantage
Reload this Page >

AAdvantage account data / security breaches Dec 2014 (merged)

AAdvantage account data / security breaches Dec 2014 (merged)

    Hide Wikipost
Old Mar 3, 15, 8:16 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: JDiver
Wiki Link
Signed in members with 90 days / 90 posts can edit this Wikipost; wiki contents may be printed by using the (lower right wiki corner)

United Airlines and American Airlines have confirmed that cyber criminals, using stolen usernames and passwords, accessed frequent flyer accounts in December 2014. Once the thieves fraudulently obtained access to these accounts, miles were transferred, used to book trips and even redeemed for upgrades.

According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.

...

Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.

Jeff Edwards, 12 Jan 2015, FlyerTalk.. Copyright © 2015 Flyertalk.com.
Link.
Thomas said that American would pay for a credit-watch service for one year for affected customers. (See below e-mail; one year Experian credit monitoring.)

Both were quick to say that nobody hacked their systems — that thieves got usernames and passwords somewhere else and tried to use them to log into American’s AAdvantage and United’s MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.

The representatives said they did not know how thieves acquired the usernames and passwords. Thomas said American had referred the matter to the FBI.

In Part, from AP via Dallas Morning News: Link

Originally Posted by fmkgb View Post
Just received the following email. I assume everyone affected will receive it. There are 2 attachments. 1) How to enroll in Experian, 2) generic information about steps to protect yourself against fraud and identity theft.

"Hello____,
We are writing to inform you about an incident involving unauthorized access to your online AAdvantage® account. An unauthorized third party recently used email addresses and passwords obtained from sources other than American Airlines to log into certain accounts, including yours. This could have resulted in access to the information that you see when you log in to your account, such as your name, email address, phone number, postal address, date of birth, the last four digits of your credit or debit card and its expiration date, your AAdvantage number, and information about the miles, mileage activity, the points that you have accrued, and the last four digits of passport numbers. In a small number of cases, known‑traveler IDs and redress numbers, as well as the last four digits of U.S. resident card numbers, also may have been compromised. Based on our review, the unauthorized access occurred on or about December 30, 2014.

Importantly, the affected accounts do not contain Social Security numbers or full credit or debit card numbers. We are in the process of working with U.S. federal law enforcement and are continuing to investigate the incident.

For your security, we have created a new AAdvantage account for you and a new AAdvantage number. We are in the process of transferring all of the miles from your old account to your new account. Once that merge is complete, your new number is emailed to you. You can use that new account number to log in to your account on aa.com. You will need to create a new password at that time, which you can do by clicking the "Forgot your password" link below the field where you would enter a password. You should not use the password you previously used for your AAdvantage account. Also, you should not use a password that you use for other online accounts.

Additionally, we have contracted with Experian to provide you a free one‑year membership in Experian's credit monitoring program. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on identification and resolution of identity theft. You may sign up for this service by following the instructions included in Attachment A. You will be able to access this offer at no cost until April 30, 2015.

Any unauthorized transfers of miles will be credited to your account. Nonetheless, we recommend that you carefully review your statements, account activity, and credit reports to help protect the security of your accounts. Attachment B contains more information about steps you can take to protect yourself against fraud and identity theft.

We apologize for any inconvenience this may have caused you. American Airlines takes information security very seriously and will continue to work to ensure that appropriate measures are taken to protect the personally identifiable information we maintain.

If you have further questions, please contact AAdvantage® Customer Service.
After business hours, please contact aa.com Web Services.

Regards,

Steven D. Leist
Chief Privacy Officer
Vice President – Technology Infrastructure
Note: you are entitled to get a free credit from each Credit Reporting Agency(Equifax, Experian and TransUnion) report every twelve months without cause, and again for cause. You can request your credit reports from this (only) service set up by the CRAs here: https://www.annualcreditreport.com/index.action. This is the only sanctioned site; others will try to sell you products.

Print Wikipost

Old Jan 11, 15, 10:58 am
  #31  
 
Join Date: May 2001
Location: Fort Worth, TX US
Programs: AAdvantage
Posts: 179
Another bit of data: since my wife (who has the new AA#) and I always travel together, the missing reservations and holds are still showing in my account. If I look up those reservations, they are still showing my wife's old AA acct #.

So, it seems like they should be able to transfer over reservations and holds by updating the AA acct #s. I'm puzzled as to why this was not part of the new account creation.
ziobacio is offline  
Old Jan 11, 15, 11:11 am
  #32  
 
Join Date: May 2011
Posts: 7
I did not get any emails but suddenly this morning I was no longer able to log in or reset my password. I called AA and they told me my account number had changed and I should call Aadvantage Customer Service on Monday when they open to clear things up.

The agent told me my new account number and I was able to login with it. The new account has my mileage balance, Exec Plat status, and system wide upgrade balance, but nothing else. No past activity, none of my 4 upcoming itineraries, my 10 500-mile upgrades are missing, all personal info except my name and home address were gone.
poolc is offline  
Old Jan 11, 15, 12:08 pm
  #33  
 
Join Date: Nov 2010
Programs: AA PLT 3MM
Posts: 1,117
Originally Posted by RogerD408 View Post
The AAdvantage number itself is not the issue here. But access of the account, which should include a password, that is of concern. Granted one would think just forcing a change to the password would solve the problem. There may be other reasons for such a drastic approach and we will probably never know since it might expose a serious vulnerability they don't want others to know. Maybe there is a way to pull miles from an account without the password.
I seem to recall someone a while back posting how their ex-wife was able to gain access to their account, and cause havoc, simply by knowing the AAdvantage number and email address and using this to change the password. Therefore, if some security breach had revealed account numbers and email addresses then hackers could presumably do the same.

Of course, an obvious way to get this information would be a breach within the email provider, rather than AA. I wonder if there is any pattern to the email providers used by affected people.
dmsdfw is offline  
Old Jan 11, 15, 12:19 pm
  #34  
FlyerTalk Evangelist
 
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Originally Posted by dmsdfw View Post
I seem to recall someone a while back posting how their ex-wife was able to gain access to their account, and cause havoc, simply by knowing the AAdvantage number and email address and using this to change the password. Therefore, if some security breach had revealed account numbers and email addresses then hackers could presumably do the same.

Of course, an obvious way to get this information would be a breach within the email provider, rather than AA. I wonder if there is any pattern to the email providers used by affected people.
Online security is basically a joke... Even with a long list of profile questions, someone that is in the know (family, close friends, anyone they know, or just about anyone on Facebook) may know Mother's maiden name, first car, etc.. Personally, I choose to give answers that I will remember and don't come close to answering the actual question. Mother's maiden name: Yoda! She was short, Jaba might have been offensive.
RogerD408 is offline  
Old Jan 11, 15, 1:06 pm
  #35  
 
Join Date: Mar 2012
Posts: 10
Missing Account

Happened to me this last night as well. Flew from LAX-JFK-GIG. Arrived this morning, tried to login into my account right now. Unable to authenticate myself. Went to my mail e-mail box and saw the "security" warning and a new AAAdv account number. Tried to get a password for the new account without success.

I don't have any US airways account. When logged to my account some 40 hours ago to select my seats, the web site automatically directed me to an ok button to merge AA/US accounts. Big mess, member since '96, appears to be a very very serious and massive problem. Unable to see the status of my upgrades.
atostes is offline  
Old Jan 11, 15, 1:08 pm
  #36  
 
Join Date: Apr 2010
Posts: 1,050
Originally Posted by rrgg View Post
This is 100% speculation, but is it possible there's not an actual security issue? What I mean is whatever code was added to perform these merges also includes something to detect multiple merges.
Here's my speculation. What if the code added to perform the merges contained a major security vulnerability? For example, something that allowed an attacker to feed in random AAdvantage numbers and get back some information of value about them?
_kurt is offline  
Old Jan 11, 15, 1:13 pm
  #37  
FlyerTalk Evangelist
 
Join Date: Nov 2003
Location: South Florida
Programs: AA LTG (EXP), Hilton Silver (Dia), Marriott LTP (PP), SPG LTG (P) > MPG LTPP
Posts: 11,329
Also just accessed my AA account and there was a popup asking about adding my US account, which I don't have. Maybe if the wrong button is selected your account is flagged? As I remember there were three choices. I chose Do not remind me again. Just thinking out loud here...
RogerD408 is offline  
Old Jan 11, 15, 1:22 pm
  #38  
 
Join Date: Mar 2012
Posts: 10
Do not remind me again

I think (not sure) i choose the same option, "do not remind me again". In trouble now. In IT words, it's a migration process failure, it's probably affecting a huge number of accounts. This is very serious, hope they will fix this, i want my account number back together with my 500 miles upgrades and all related information.
atostes is offline  
Old Jan 11, 15, 2:08 pm
  #39  
 
Join Date: Mar 2012
Location: DFW
Programs: AA EXP, SPG PLT, HH GLD, MR PLT, Hertz 5*
Posts: 71
Originally Posted by dmsdfw View Post
I seem to recall someone a while back posting how their ex-wife was able to gain access to their account, and cause havoc, simply by knowing the AAdvantage number and email address and using this to change the password. Therefore, if some security breach had revealed account numbers and email addresses then hackers could presumably do the same.

Of course, an obvious way to get this information would be a breach within the email provider, rather than AA. I wonder if there is any pattern to the email providers used by affected people.
Seems the ex-wife didnt know the husband well enough other wise she would not have had to reset his password, and could have done havoc for a lot longer.

Even if an email provider was compromised, you would see other activity such as password resets on the email address.

Originally Posted by RogerD408 View Post
Online security is basically a joke... Even with a long list of profile questions, someone that is in the know (family, close friends, anyone they know, or just about anyone on Facebook) may know Mother's maiden name, first car, etc.. Personally, I choose to give answers that I will remember and don't come close to answering the actual question. Mother's maiden name: Yoda! She was short, Jaba might have been offensive.
Agree 100% with this statement, and its not just AA that suffers from this. Think about everywhere you login and how to reset passwords, the same everywhere.

From a security response assigning new AA FF number makes no sense, actually from a technical stand point it doesn't make much sense either but having worked in IT operations when in crisis mode the best decisions are not always made. Additionally they seem to be doing them individually instead of a batch process which seems they are having some sort of technical non-security related issues.

IF it was an actual breach they would probably bring the entire service offline while determining the scope of the breach and how the breach occurred.

Curious if anyone will be able to successful get their old FF number back?
ddistler is offline  
Old Jan 11, 15, 2:28 pm
  #40  
 
Join Date: Jan 2015
Location: SFO
Programs: AA Platinum, SPG Gold
Posts: 769
New AA number assigned due to "unauthorized access"

I just got the following email out of the blue.

Duplicate Accounts Merged

As the result of unauthorized access to your AAdvantage account, we are providing you with a new AAdvantage account number. We will contact you again shortly with additional details, but in the meantime we have taken this action to help protect the security of your account.

Please be sure to use AAdvantage account XXXXXXX for all of your mileage earning and redemption activity. If you earn miles through any of our partners or book your flights through a travel agency or corporate booking tool, we recommend you update your account number with them.
All transactions and balances from the compromised account are included in account XXXXXXX, and there is a balance of XXXXXX miles available for award redemption.

To see additional account information, please login on AA.com with the new AAdvantage account number, and select Forgot/Need Password from the Login screen to create a new password. Do not use the same password that you used previously, and do not use the same password you use on other online sites. While you are logged into your account, we recommend you review your email and notification selections to ensure they are set properly.

If you have any questions about your account, please contact us at your convenience. We apologize for the inconvenience and will email you again soon with additional information.

Regards,
AAdvantage Customer Service
American Airlines
I'm pretty irritated at this. I know it seems like a silly thing to care about, but I've had my AA account number since 1987 when I was a child (my oldest continuing account of anything) and have had it memorized as long as I can remember. I really would prefer to keep my old one if at all possible. I highly doubt there was actually any "unauthorized access"--there haven't been any AA leaks recently as far as I'm aware and I've never seen any activity on my account that would suggest anything illicit.

Has anyone else had something like this happen, either in the past or recently? I'm wondering if it has anything to do with the AA/US account merge process, which I completed a few days ago.

If anyone has gone through this, were you able to restore your original number?
chrisremo is offline  
Old Jan 11, 15, 2:36 pm
  #41  
Suspended
 
Join Date: Mar 2001
Location: FIND ME ON TWITTER FOR THE LATEST
Posts: 27,734
Post

Memo is out:

American Airlines has identified a limited number of AAdvantage accounts that have been accessed by an unauthorized third party. AAdvantage is in the process of locking online AAdvantage accounts that have been compromised, and is notifying affected customers about the incident via e-mail...
EDIT to add: memo is actually from yesterday, 9am CT.

Last edited by JonNYC; Jan 11, 15 at 2:45 pm
JonNYC is offline  
Old Jan 11, 15, 2:37 pm
  #42  
 
Join Date: Jan 2015
Location: SFO
Programs: AA Platinum, SPG Gold
Posts: 769
I stupidly started a new thread about this because I missed this one somehow.

Anyway, I got both of these same emails. New AA number and also TSA Pre-Check interest (even though I already have a KTN).

Pretty irritated. I've had my AA number for almost my entire life and have known it by memory for as long as I can remember.

Edit: My account also lists both my reward miles and million miler total as 0. Great.
chrisremo is offline  
Old Jan 11, 15, 2:55 pm
  #43  
Suspended
 
Join Date: Mar 2001
Location: FIND ME ON TWITTER FOR THE LATEST
Posts: 27,734
The account merges that result from this incident started last night and will continue tonight and tomorrow.
JonNYC is offline  
Old Jan 11, 15, 3:05 pm
  #44  
 
Join Date: Mar 2012
Location: DFW
Programs: AA EXP, SPG PLT, HH GLD, MR PLT, Hertz 5*
Posts: 71
Originally Posted by JonNYC View Post
Memo is out:



EDIT to add: memo is actually from yesterday, 9am CT.
Well guess I was wrong.....it was a security incident.

Did they give an estimate about how many accounts would be impacted?
ddistler is offline  
Old Jan 11, 15, 3:12 pm
  #45  
 
Join Date: Jan 2015
Location: SFO
Programs: AA Platinum, SPG Gold
Posts: 769
Talked to AA Web Services and they said I should call Customer Service during their business hours.

Also when I logged in just now (not the previous time), it said I had to match my US account, which I had already previously done on my original AA number.
chrisremo is offline  

Thread Tools
Search this Thread
Search Engine: