Conflicting information?

As one would expect in this type of situation, from reading the various posts, it seems like there are conflicting reports as to what happened when and what data was exposed.....?

The AAdvantage "supervisor" that I spoke with stated that on Dec 30th, my file, including name, address, contact email and phone #, and stored credit card info (last four #'s) were accessed in the data breach and that I should consider changing my email account address and email password, as well as my personal mobile #

I work in tech and focus on data analytics and mobile technologies, so I do have some understanding of potential impacts of such a data breach, but it would certainly position them in a more favorable light if they came out and shared with those impacted as to what they know and how they know it, along with a prudent set of recommendations as to what we should assume has been compromised.....

I had my number for 32 years and it was an all numeric number. It was replaced with an alpha numerica number and I wonder if the numbers hacked were all numeric ones.

They were not. I had my number for 28 years and it was alphanumeric.

Do not assume that. My account died sometime shortly after you wrote that post, and I certainly have not gotten any information at all from AA.

I am currently on a very long hold trying to get someone somewhere to do something.

For the record, I have never had a DM account, I don't have an AA-linked credit card, I use no third-party mileage tracking sites, have never participated in AA dining, AA shopping, Points.com, or any other mileage-related site. I don't accumulate miles on AA from any non-AA entity.

I discovered I couldn't get into my account during a connection at DFW. I'm sure glad I print out boarding passes instead of relying on the app.

Good lord... what a C.F.

Personal mobile # seems a little excessive. That's fairly insecure information anyways.

That agent who said that was just improvising a bit, obviously.

More important than being in receipt of the email, at any given point over the last 3 days, is if you can log in. I'm under the impression, though, that if by this a.m. you have no email from AA-- or, again, more indicatively, can log in, you're not in the impacted group of accounts.

Did the intruders know which accts had lots of miles? Did anyone here have their acct compromised even though they don't have many miles? My acct was fine, but I have less than 50K miles; my wife's acct was affected and she has around 200K miles.

I am still wondering about AA's attitude about this -- the lack of reliable, consistent information, and the absence of instructions on how we should proceed (whether other accts should be changed, what other actions we should take, etc). My wife got her email notice on Sat 1/10, which promised that they would email 'soon' with more information, but no word for 3 days. The CSR mentioned free credit monitoring, but no email about that, either. Many more questions, but no answers.

Would some of those here who were hacked indicate which big, third-party websites they use with same username/ pwd combo as their AAdvantage account?

Amazon
Hilton
Marriott
Hertz
LinkedIn

etc.

I'd like to try to pinpoint which website was hacked, since this information has not yet been revealed. (It is shocking that usernames and passwords were inadequately encrypted also). It would be much easier to go to that compromised site and compare/ delete credentials than to try to figure the connection to all of my travel site passwords.

I don't think anyone uses their AA # as a userid anywhere else, only at AA, and AA does not treat it as a private/secure ID, since it's printed out everywhere.

My understanding is that the 3rd party site stored AA #s. The hackers then stole the AA # and the password for that site, then tried that password/AA# combination on aa.com, hoping that the password on aa.com would be the same.

I wasn't even aware you could log into AA with a username that isn't your AA number. I've never done it. The only accounts I log into with the same credentials as AA (by which I mean, my AA number and that password) are AA-related.

That is my read of the tea leaves as well.

Of course, this is all cloaked in mystery for some reason and I've had no official communication from AA beyond the duplicate account e-mail on Saturday. Only what I've read in the media and a brief conversation with a helpful AAdvantage rep yesterday.

I have to imagine they are still wrapping their heads around this and trying to figure out exactly what/when/where things went wrong. At some point they'll need to notify us (at least in California) if data loss has occurred. Law requires it.

Following this saga I first logged in our accounts on Sunday night and they were fine. After the info dribbled out about they closed accounts in a hierarchy from EXP/PLT and those with high account balances I started to worry as our accounts have high balances but inactive. One poster said he has no status and has hundreds of thousands miles balance and his account was hacked. We are lowly gold but we too have high number of hundreds of thousands.
As of now, no emails and we can log in. I guess we can breathe a relief. I always am wary of giving out access to various services because you never know which link would break and the outcome is always ugly.

Still, it would be most helpful if AA could reveal more information as where the attack came from, and how much was stolen.

Maybe it's a rental car or hotel chain. I know that Hilton and Hertz both allow you to store your AA number for credit, even if you are not actively taking AA miles as the primary credit choice.

Time to go delete airline ff numbers from these tertiary websites.

How on earth did a major travel site get passwords hacked in plaintext (meaning not encrypted, and apparently linked to account information as disparate as an airline frequent flyer number -- on a single server rather than a separate, authentication-only server).

I don't think this hierarchy is true. My mother (AA GOLD) was emailed Saturday Jan 10 around 2:30PM. She has around 300,000 miles in her account and has activity several times a month from either AA flights and/or Rewards Network postings. I (AA PLAT) was emailed January 12 around 2:40PM. I have approx 700,000 miles and have activity almost every month from AA flights.