Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > American Airlines | AAdvantage
Reload this Page >

AAdvantage account data / security breaches Dec 2014 (merged)

Old Jan 13, 15, 9:39 pm
FlyerTalk Forums Expert How-Tos and Guides
Last edit by: JDiver
Signed in members with 90 days / 90 posts can edit this Wikipost; wiki contents may be printed by using the (lower right wiki corner)

United Airlines and American Airlines have confirmed that cyber criminals, using stolen usernames and passwords, accessed frequent flyer accounts in December 2014. Once the thieves fraudulently obtained access to these accounts, miles were transferred, used to book trips and even redeemed for upgrades.

According to American spokeswoman Martha Thomas, as reported by AP, nearly 10,000 AAdvantage accounts may have been compromised Thomas said the airline has frozen some accounts while it works with customers to set up new AAdvantage memberships. Thomas also confirmed that mileage bandits were able to obtain free travel and upgrades without the members’ knowledge or consent in at least two instances.


Both airlines insist that their computer networks were not compromised. It appears the thieves obtained username and password information from another company’s site. The thieves were able to use this information to access individual accounts only in cases where the username and password matched the exact login credentials of the hacked site. To prevent this kind of incident from occurring again, United is now requiring MileagePlus members to enter their account number when logging in.

Jeff Edwards, 12 Jan 2015, FlyerTalk.. Copyright © 2015 Flyertalk.com.
Thomas said that American would pay for a credit-watch service for one year for affected customers. (See below e-mail; one year Experian credit monitoring.)

Both were quick to say that nobody hacked their systems — that thieves got usernames and passwords somewhere else and tried to use them to log into American’s AAdvantage and United’s MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.

The representatives said they did not know how thieves acquired the usernames and passwords. Thomas said American had referred the matter to the FBI.

In Part, from AP via Dallas Morning News: Link

Originally Posted by fmkgb View Post
Just received the following email. I assume everyone affected will receive it. There are 2 attachments. 1) How to enroll in Experian, 2) generic information about steps to protect yourself against fraud and identity theft.

We are writing to inform you about an incident involving unauthorized access to your online AAdvantage® account. An unauthorized third party recently used email addresses and passwords obtained from sources other than American Airlines to log into certain accounts, including yours. This could have resulted in access to the information that you see when you log in to your account, such as your name, email address, phone number, postal address, date of birth, the last four digits of your credit or debit card and its expiration date, your AAdvantage number, and information about the miles, mileage activity, the points that you have accrued, and the last four digits of passport numbers. In a small number of cases, known‑traveler IDs and redress numbers, as well as the last four digits of U.S. resident card numbers, also may have been compromised. Based on our review, the unauthorized access occurred on or about December 30, 2014.

Importantly, the affected accounts do not contain Social Security numbers or full credit or debit card numbers. We are in the process of working with U.S. federal law enforcement and are continuing to investigate the incident.

For your security, we have created a new AAdvantage account for you and a new AAdvantage number. We are in the process of transferring all of the miles from your old account to your new account. Once that merge is complete, your new number is emailed to you. You can use that new account number to log in to your account on aa.com. You will need to create a new password at that time, which you can do by clicking the "Forgot your password" link below the field where you would enter a password. You should not use the password you previously used for your AAdvantage account. Also, you should not use a password that you use for other online accounts.

Additionally, we have contracted with Experian to provide you a free one‑year membership in Experian's credit monitoring program. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on identification and resolution of identity theft. You may sign up for this service by following the instructions included in Attachment A. You will be able to access this offer at no cost until April 30, 2015.

Any unauthorized transfers of miles will be credited to your account. Nonetheless, we recommend that you carefully review your statements, account activity, and credit reports to help protect the security of your accounts. Attachment B contains more information about steps you can take to protect yourself against fraud and identity theft.

We apologize for any inconvenience this may have caused you. American Airlines takes information security very seriously and will continue to work to ensure that appropriate measures are taken to protect the personally identifiable information we maintain.

If you have further questions, please contact AAdvantage® Customer Service.
After business hours, please contact aa.com Web Services.


Steven D. Leist
Chief Privacy Officer
Vice President – Technology Infrastructure
Note: you are entitled to get a free credit from each Credit Reporting Agency(Equifax, Experian and TransUnion) report every twelve months without cause, and again for cause. You can request your credit reports from this (only) service set up by the CRAs here: https://www.annualcreditreport.com/index.action. This is the only sanctioned site; others will try to sell you products.

Print Wikipost

AAdvantage account data / security breaches Dec 2014 (merged)

Old Jan 10, 15, 11:21 am
Original Poster
Join Date: Jun 2001
Location: LAX
Programs: AA EX PLT; Hilton Diamond; UA Plat
Posts: 2,316
Odd account security issue [AAdvantage account data breaches]

I was presented today with a very odd account security issue that I'm not sure I understand.

I yesterday successfully linked by US and AA accounts (confirmed on both sites). I had no issues with the link process and it immediately confirmed my accounts on both sides.

Today I received an e-mail from AAdvantage that states:

Subject: Duplicate Accounts Merged

"Dear DLL,

As the result of unauthorized access to your AAdvantage account, we are providing you with a new AAdvantage account number. We will contact you again shortly with additional details, but in the meantime we have taken this action to help protect the security of your account.

Please be sure to use AAdvantage account XYZABC for all of your mileage earning and redemption activity. If you earn miles through any of our partners or book your flights through a travel agency or corporate booking tool, we recommend you update your account number with them.

All transactions and balances from the compromised account are included in account XYZ1ABC, and there is a balance of XXX,XXX miles available for award redemption.

To see additional account information, please login on AA.com with the new AAdvantage account number, and select Forgot/Need Password from the Login screen to create a new password. Do not use the same password that you used previously, and do not use the same password you use on other online sites. While you are logged into your account, we recommend you review your email and notification selections to ensure they are set properly.

If you have any questions about your account, please contact us at your convenience. We apologize for the inconvenience and will email you again soon with additional information.


AAdvantage Customer Service

American Airlines"
I then confirmed on AA.com that my old account was disabled and I had to reestablish password credentials for my new account. It lost all of my upgrades (26 of them!), which I will have to e-mail them about. I also noted that my US account is still linked to the now expired account which I cannot update (so not sure it will merge successfully), and my upcoming reservations are linked to my now disabled account and I cannot update them online. My Business Extra account was also disabled in the process, and all of my stored companions and credit cards were deleted. All in all, a bit of a total mess.

I have no idea what the unauthorized access might be - has anyone else had this issue? Wondering if the AA/US account link process caused some issue that generated a new account. Also not sure if I need to call Citi and have them relink my AAdvantage credit cards to the new account number. Sort of a pain, all around, as I have to memorize a new account number and go through hoops to get outstanding things resolved.

Last edited by JDiver; Jan 21, 15 at 12:10 pm Reason: Preserve original post title
dll is offline  
Old Jan 10, 15, 11:33 am
Original Poster
Join Date: Jun 2001
Location: LAX
Programs: AA EX PLT; Hilton Diamond; UA Plat
Posts: 2,316
Originally Posted by JonNYC View Post
Very odd indeed! I'll see if anyone knows what this was and/or if other members will get the same (as in if it -was- a result of merge the other night.)

I agree-- I'd hate to lose my AAdv #. And then all that other stuff you'll have to rebuild-- that really is a pain!

BTW, you should delete your AAdv # that's in your post-- even if it's old!
Thank you! Caught the others but missed that one, and now fixed.
dll is offline  
Old Jan 10, 15, 12:01 pm
Original Poster
Join Date: Jun 2001
Location: LAX
Programs: AA EX PLT; Hilton Diamond; UA Plat
Posts: 2,316
Originally Posted by JonNYC View Post
Great, glad you edited it.

My first-glance, shoot-from-the-hip thought is that this was -not- related to the linking. Although the timing is awfully coincidental, obviously.

Here's the thing, historically, I've never heard of AA just changing AAdv #'s on a member-- even when the account has been compromised. Yes, many members might -opt- at that time for a new AAdv number, but that's not the historic standard protocol.
That's why it is catching me off guard. I've had no odd account activity or made or attempted to make any redemptions. Of course they likely know something I don't know. Still frustrating to have to rebuild and retrace everywhere that touches/references my AAdvantage number.
dll is offline  
Old Jan 10, 15, 12:34 pm
Join Date: Jan 2015
Posts: 2
I got exactly the same email today, and I also linked my US account # to AA two days ago.
pkj1205 is offline  
Old Jan 10, 15, 1:02 pm
Join Date: May 2001
Location: Fort Worth, TX US
Programs: AAdvantage
Posts: 179
My wife just got this same email and is on the phone with them now. She's had the same AAdv# since '91. She hasn't linked any other accounts to this one.

Somewhat disconcerting, as she had just put two trips on hold, and those and two paid reservations are now missing from the new account, as well as her upgrades.

UPDATE: Wife was told she'll have to contact AAdvantage on Monday for more info. Now she cannot log in under either her old or her new AA#.

Last edited by ziobacio; Jan 10, 15 at 1:18 pm
ziobacio is offline  
Old Jan 10, 15, 1:12 pm
Join Date: Jul 2010
Location: SFO
Programs: AA EXP
Posts: 5,271
Sounds like this could be the result of some recent, specific data breach -- e.g. somebody got hold of a known set of AAdvantage numbers from some source (but perhaps hasn't done anything with them yet), and AA is changing them out of an abundance of caution.
rjw242 is offline  
Old Jan 10, 15, 1:17 pm
Original Poster
Join Date: Jun 2001
Location: LAX
Programs: AA EX PLT; Hilton Diamond; UA Plat
Posts: 2,316
Originally Posted by ziobacio View Post
My wife just got this same email and is on the phone with them now. She's had the same AAdv# since '91. She hasn't linked any other accounts to this one.

Somewhat disconcerting, as she had just put two trips on hold, and those and two paid reservations are now missing from the new account, as well as her upgrades.
Oddly, I've had mine since '91 as well.

All of my data except credit card, companion info and 500-mile upgrades was ported over (including MM status and current mileage). But everything else that touches my account is broken and will have to be rebuilt/refreshed.
dll is offline  
Old Jan 10, 15, 1:27 pm
FlyerTalk Evangelist
Join Date: Jan 2001
Location: NYC
Programs: AA EXP / LT PLT / 3MM, Marriott LT Gold
Posts: 34,087
My business partner and I both linked a few days ago. Went smoothly in both cases and we are able to log into our accounts normally today.
vasantn is offline  
Old Jan 10, 15, 2:28 pm
Join Date: May 2001
Location: Fort Worth, TX US
Programs: AAdvantage
Posts: 179
Originally Posted by JonNYC View Post
To be clear, since it will help very much in eliminating possible source(s) of this; you wife did -not- do the link to US FF acct # thing that went up the other night?
Correct. Neither my wife nor I have a US Airways acct and did not do any linking to our AA acct. We've only flown US Airways once, about a year ago.

We're hoping that the rest of her info gets carried over, perhaps in overnight processing? Otherwise we were told to wait until Monday when AAdvantage offices are open. She can at least log into the new acct now -- her miles are there, although the reservation/hold info, upgrade balance, cc, companion info, are all missing.
ziobacio is offline  
Old Jan 10, 15, 2:39 pm
Join Date: May 2001
Location: Fort Worth, TX US
Programs: AAdvantage
Posts: 179
Another oddity to this security issue: the title of the email is "Duplicate Accounts Merged" yet the email itself says that there has been "unauthorized access" to the AA account, resulting in the issuance of a new acct number.
ziobacio is offline  
Old Jan 10, 15, 3:28 pm
Join Date: May 2000
Location: Houston, TX, USA
Programs: UA 1K, AA Lifetime Platinum, DL Platinum, Honors Diamond, Bonvoy Titanium, Hertz Platinum
Posts: 7,761
Originally Posted by JonNYC View Post
I agree-- that email subject title strikes me as a very odd choice under these circumstances.
I suspect the "duplicate accounts merged" refers to the two AAdvantage accounts (the old one and the new one created with the new number), and not the AAdvantage account and USAir account.

I further suspect that when they changed to the new AAdvantage account number, what they really did was create a new account with the same member details (name, address, phone, DOB, email, etc) then used the standard "merge duplicate accounts" feature to migrate the miles, lifetime miles, and other details from the old account into the new account and close the old account. This perhaps generates an automated message to the passenger, using standardized "Duplicate accounts merged" verbiage since that's what the function was originally designed for, customized with verbiage regarding the security issue.
Steve M is offline  
Old Jan 10, 15, 4:45 pm
Join Date: Jan 2010
Location: Stockholm, Sweden + Austin, Tx
Programs: "But, I'm a GLOBALIST guest...."
Posts: 2,840
Holy <poo poo>... this happened to me today as well... an hour or two ago.

Edit: won't let me link my US airway account cause its already been linked... none of my trips are showing up now... what a f'in mess.

Edit2: what a pain. had to call on the phone to have all my flights switched over as none of them showed up on my account. Apparently they were warned this morning that "some" accounts had been compromised.

Edit3: All my 500 mile upgrade stickers are gone.

Last edited by Microwave; Jan 12, 15 at 7:07 am Reason: Circumventing the naughty word detector is not permitted
austin_modern is offline  
Old Jan 10, 15, 5:56 pm
Join Date: Oct 2009
Location: Chicago
Programs: AAExP(3MM), HHDiamond, Priority Club Plat, Hyatt Plat, United Mileage Plus
Posts: 117
Just got the same email a few hours ago!

I got the same email a few hours ago as well! I did not do anything involving USAirways or anything at all for that matter. I also wonder if it is a security breach that they haven't announced. I have no idea if this is related, but earlier today when I logged in it said January 2015 would show my YTD 2014 activity - but it was all zeroed out. Thought that was strange.

I have not called anyone at AA yet, but I was getting ready to book a couple of trips so probably should. If I hear any additional info that has not been posted by then, I will share.

Was also wondering if it was a legit email or a bogus one. However it stated my mileage balance in the email and that was accurate, for what it is worth.
chicago_guy is offline  
Old Jan 10, 15, 7:15 pm
Join Date: Nov 2009
Posts: 204
UGH! Did absolutely nothing as far as merged accounts. All stickers and future travel is gone. What a pain...
artyam is offline  
Old Jan 10, 15, 7:17 pm
Join Date: Mar 2011
Location: San Antonio, Texas
Programs: AA P-Pro, Chase SP, SPG Gold
Posts: 556
Originally Posted by JonNYC View Post
I'd suggest that at this point, that's pretty much a given
This really sucks for those affected.

I just went and made screenshots of my account details just in case...mileage and record locators pages.
onesocalkid is offline  

Thread Tools
Search this Thread