Conflicting information?
As one would expect in this type of situation, from reading the various posts, it seems like there are conflicting reports as to what happened when and what data was exposed.....? The AAdvantage "supervisor" that I spoke with stated that on Dec 30th, my file, including name, address, contact email and phone #, and stored credit card info (last four #'s) were accessed in the data breach and that I should consider changing my email account address and email password, as well as my personal mobile # I work in tech and focus on data analytics and mobile technologies, so I do have some understanding of potential impacts of such a data breach, but it would certainly position them in a more favorable light if they came out and shared with those impacted as to what they know and how they know it, along with a prudent set of recommendations as to what we should assume has been compromised..... |
I had my number for 32 years and it was an all numeric number. It was replaced with an alpha numerica number and I wonder if the numbers hacked were all numeric ones.
|
Originally Posted by jeseay
(Post 24155068)
I had my number for 32 years and it was an all numeric number. It was replaced with an alpha numerica number and I wonder if the numbers hacked were all numeric ones.
|
Originally Posted by relangford
(Post 24153253)
To the topic, if we did not get the e-mail message, do we assume all is OK with our account?
Do not assume that. My account died sometime shortly after you wrote that post, and I certainly have not gotten any information at all from AA. I am currently on a very long hold trying to get someone somewhere to do something. For the record, I have never had a DM account, I don't have an AA-linked credit card, I use no third-party mileage tracking sites, have never participated in AA dining, AA shopping, Points.com, or any other mileage-related site. I don't accumulate miles on AA from any non-AA entity. I discovered I couldn't get into my account during a connection at DFW. I'm sure glad I print out boarding passes instead of relying on the app. |
Originally Posted by rockjaw
(Post 24154935)
I should consider changing my email account address and email password, as well as my personal mobile #
|
Originally Posted by rockjaw
(Post 24154935)
Conflicting information?
as well as my personal mobile # . |
Originally Posted by malexander131
(Post 24157119)
Personal mobile # seems a little excessive. That's fairly insecure information anyways.
Originally Posted by relangford
(Post 24153253)
To the topic, if we did not get the e-mail message, do we assume all is OK with our account?
|
Did the intruders know which accts had lots of miles? Did anyone here have their acct compromised even though they don't have many miles? My acct was fine, but I have less than 50K miles; my wife's acct was affected and she has around 200K miles.
I am still wondering about AA's attitude about this -- the lack of reliable, consistent information, and the absence of instructions on how we should proceed (whether other accts should be changed, what other actions we should take, etc). My wife got her email notice on Sat 1/10, which promised that they would email 'soon' with more information, but no word for 3 days. The CSR mentioned free credit monitoring, but no email about that, either. Many more questions, but no answers. |
Originally Posted by malexander131
(Post 24154191)
Reading about how this wasn't a "hack" but was the theft of credentials from a third party, any guesses on who that third party may be? My only two guesses would be the AAdvantage shopping mall and/or Points.com, whom you can both allow to access your account.
http://www.nydailynews.com/news/nati...icle-1.2075162 Amazon Hilton Marriott Hertz etc. I'd like to try to pinpoint which website was hacked, since this information has not yet been revealed. (It is shocking that usernames and passwords were inadequately encrypted also). It would be much easier to go to that compromised site and compare/ delete credentials than to try to figure the connection to all of my travel site passwords. |
Originally Posted by fastflyer
(Post 24157474)
Would some of those here who were hacked indicate which big, third-party websites they use with same username/ pwd combo as their AAdvantage account?
My understanding is that the 3rd party site stored AA #s. The hackers then stole the AA # and the password for that site, then tried that password/AA# combination on aa.com, hoping that the password on aa.com would be the same. |
I wasn't even aware you could log into AA with a username that isn't your AA number. I've never done it. The only accounts I log into with the same credentials as AA (by which I mean, my AA number and that password) are AA-related.
|
Originally Posted by ziobacio
(Post 24157514)
I don't think anyone uses their AA # as a userid anywhere else, only at AA, and AA does not treat it as a private/secure ID, since it's printed out everywhere.
My understanding is that the 3rd party site stored AA #s. The hackers then stole the AA # and the password for that site, then tried that password/AA# combination on aa.com, hoping that the password on aa.com would be the same. Of course, this is all cloaked in mystery for some reason and I've had no official communication from AA beyond the duplicate account e-mail on Saturday. Only what I've read in the media and a brief conversation with a helpful AAdvantage rep yesterday. I have to imagine they are still wrapping their heads around this and trying to figure out exactly what/when/where things went wrong. At some point they'll need to notify us (at least in California) if data loss has occurred. Law requires it. |
Following this saga I first logged in our accounts on Sunday night and they were fine. After the info dribbled out about they closed accounts in a hierarchy from EXP/PLT and those with high account balances I started to worry as our accounts have high balances but inactive. One poster said he has no status and has hundreds of thousands miles balance and his account was hacked. We are lowly gold but we too have high number of hundreds of thousands.
As of now, no emails and we can log in. I guess we can breathe a relief. I always am wary of giving out access to various services because you never know which link would break and the outcome is always ugly. Still, it would be most helpful if AA could reveal more information as where the attack came from, and how much was stolen. |
Maybe it's a rental car or hotel chain. I know that Hilton and Hertz both allow you to store your AA number for credit, even if you are not actively taking AA miles as the primary credit choice.
Time to go delete airline ff numbers from these tertiary websites. How on earth did a major travel site get passwords hacked in plaintext (meaning not encrypted, and apparently linked to account information as disparate as an airline frequent flyer number -- on a single server rather than a separate, authentication-only server). |
Originally Posted by Happy
(Post 24157573)
After the info dribbled out about they closed accounts in a hierarchy from EXP/PLT and those with high account balances I started to worry as our accounts have high balances but inactive.
|
All times are GMT -6. The time now is 3:46 pm. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.