skunker

$11k?!? 3 cents per mile seems a little...inflated.

Flying for Fun

The unbonused cost to purchase AA miles is 3.5 cent per mile, plus taxes.

360,000 × .035 = $12,600 + taxes = $12,600 + $945 = $13,545

James

thelark

The other day I received an email that the email address associated with my AAdvantage account was changed (to something very close to my email). I didn’t make that change. Immediately logged in and changed my email back, new password and security questions. Called in and the agent could see that there was a change and asked if I wanted a new AAdvantage number, I said no. Everything fine the last few days, was even able to make some award bookings.

Just tried to login and my is locked - they said the password was compromised. Waiting for a call back tomorrow. Rep on the EP line who I just spoke to said they’ll probably have to create a new account and “transfer everything over.”

I have 0 trust for AA’s IT systems and am flying international Saturday and then forward on a OW flight Tuesday. Has anyone been through this before? Wondering what to look out for or press AA on to make sure nothing royally screws up.

MikeBOS

Yes, this happened to me a few months ago, and to the rest of my family. One day I couldn't log in to any of the accounts, getting a message to call customer service. They said there had been a breach, and their response to this is to create a new account, move all your miles to it along with your history, and have you start using this new account. There is one "gotcha" though; if you are enrolled in the "Instant Status Pass" promotion, this doesn't work so you need to keep 2 parallel accounts until you're done with it. Your miles accrue in your original account, but it is locked for redemption, and you can redeem from the new account. This means calling to get miles transferred over for redemption until the Instant Status Pass period is over (for me November 30) and the accounts can be fully merged. Other than that we've had no issues; miles and status both transferred to the new account for my wife, who is Gold.

greenmustard

Tried to login via the AA app (was automatically logged out) and the AA website today and see a login error telling me to call customer service. Advantage Customer Service isn't open until Monday morning, and any AA number I call (Platinum Pro line, General reservations) automatically redirects me to the Customer Service line; I'm guessing it's because they have my phone number on file, and there's some sort of my flag on my number now? I was hoping someone on the phone could confirm if my account was locked/hacked at the very least...

1. I assume I shouldn't really try to book any new flights or use AA shopping until I get this resolved, since I'll likely be issued a new number?
2. Also anyone with experience know how long it'll take once I have a new account fo have my miles and status transferred over? I don't have any current flights booked but ideally need to be booking flights this week for upcoming travel for the beginning of next month, and some of these bookings may be award flights, use of a flight credit, and possible use of a SWU.
3. I didn't receive any emails about my email being changed, spam emails in general, or any miles being used, but I assume there was a breach because I do have a bad compromised password that I had been meaning to change...AA's website had warned me before, and yes I know I'm dumb for not heeding it immediately. Is this login error the standard for a breach, or should I be worried that I somehow broke something in their T&C and my account has been locked due to that? This is me probably being paranoid, but the lack of any indication that I was hacked has me worried? I don't think there's anything that I've done that would warrant corp sec looking at my account (don't churn ccs, not using miles for others, not skiplagging, etc), unless standing by/SDC for later flights or cancelling flights for flight credit to rebook is somehow not above board.

FriendlySkies

Just posting my experience. In late June, I woke up to two emails from AAdv. thanking me for two redemptions. I hadn't redeemed any AA miles in quite a while, so I immediately got on the phone with AA who said two pax were booked LGA-RDU-BNA the same day. I'd never heard of either party, so the flights were, obviously, fraudulently booked. I later learned the folks were pulled off at RDU by the Airport PD and AA Managers and made to buy their own tickets onward to BNA. They also claimed to have paid somebody $400~ via Apple Pay for the tickets.

AA required a police report which I turned in about a week ago. When I checked this evening, I found my miles returned to my account. I don't keep nearly as many as I used to when I was EXP, but it wasn't too bad of a process. I did end up updating passwords for all of my loyalty accounts with stronger, randomly generated passwords to hopefully prevent this from happening again. In terms of my AA #, I've had it since 1994, so I obviously was upset when they told me the number would have to change. I was able to get AA to keep my number the same in exchange for them saying they wouldn't be responsible for refunding miles if this happened again and I didn't catch it. Since I don't fly AA much, I felt this to be an acceptable trade off to me. If I still had a huge number of miles/AA was my primary carrier, then I would've gone ahead with the change.

ZenFlyer

Very sorry to hear this, but glad it was resolved in an acceptable manner. Thanks for reminding us that the award account thieves remain active . . .

MikeBOS

I think you'd be OK booking flights now but easy enough to get it resolved first so that's probably what you should do. When this happened to me they created the new account and transferred everything over while I was on the phone, so it was very fast. I did have to wait about 20 mins to get connected to the security people who handled it.

anabolism

1. You can earn miles in your old account, they will be transferred to the new account once that's set up.
2. The new account should be set up the same day you call. I don't know if AA security is able to transfer your SWUs to it, or if they need to get AAdvantage customer Service to do it, but either way it should be quick.
3. You should have received email when the miles were redeemed or if your email was changed. If those emails weren't sent, that points to a problem in AA's systems. As for your concerns about AA's security group targeting you, I think in cases like this they do want to try and determine that you were hacked as opposed to you selling your miles and then claiming to be hacked. Usually a police report is all they need.

anabolism

Glad you got to keep your long-term account number! I'm not sure why they are so insistent on changing account numbers. They should have an option of requiring logging in with a user ID rather than an email address (you can set a user ID and use it to log in, but it still allows logging in with the email address).

FriendlySkies

Agreed. I would certainly like to see 2FA as an option for more companies these days and getting rid of some of the ridiculously easy ways to reset a password if you "forget" it.

azfanboy

Just found out that I had about 20k miles stolen for fraudulent award bookings made a few days ago, and called customer service today.

they said they locked my account and that I should expect AA security to call me on Monday. Fortunately the password used was something I only used on AA.

Anything I should do over the weekend?
how soon can I expect to get the miles back?

AB Dada

Am on a cruise with poor Wi-Fi but started getting absolutely spammed with newsletter subscriptions so I said out loud “they’re hacking either my AA or Ticketmaster account”.

They do the mass subscribing to hide the emails, but I caught the AA password change one, changed it back, called AA and the executive platinum desk answered on one ring and connected me to security in 3 minutes.

15 minutes later had a new AAdvantage account number.

Flying out Sunday and hoping I’ll have my EP status for that flight.

Rossodio

For anyone who has had their AAdvantage miles fraudulently stolen or used, the direct number to the AAdvantage account security department is 1-866-415-5363. They were extremely helpful. Hopefully this story will help you to understand how the fraud resolution process works. I will update this post as things move further along.

I woke this morning and was getting ready to head out to work. I checked my personal e-mail account and I had about 150 e-mails sent to me between about 4:45 and 5:15 AM local time. These were all online shops and vendors and I had been put on their promotional e-mail lists. They were from all over the world (Israel, New Zealand, Australia, Spain, USA, you name it). Some were addressed to a random name (Amber, Phil, Julia, Ron, etc.). They were all legitimate, with unsubscribe links. I at first figured that my Barclays card had been used by Mrs. Rossodio somewhere online that dumped the associated e-mail address onto a bunch of e-mail list services. However, buried in the middle of the e-mails were the following:
1) An e-mail from the car rental vendor that AAdvantage car rentals uses confirming a rental under someone's name who I do not know for a 3 month rental for a Jeep Grand Cherokee with an associated 330,000 AAdvantage mile cost to my account at Salt Lake City airport to be picked up at 7AM local time/9AM EST. I have never been to Salt Lake City and know no one anywhere near there.
2) A second e-mail from AA confirming the redemption with similar information - the person's name on the rental, a confirmation code, etc.
3) A third e-mail that was a verification code to unlock my AA account.

None of the e-mails had been opened yet and there were no login attempts to my e-mail account overnight. This was apparently a straight up attempt to burn my miles to get a car for 3 months. After speaking with the fraud department at AAdvantage it seems that they occasionally see fraudsters use techniques like this - blasting e-mail lists at people to have the AA e-mails get buried so they don't notice them.

I first immediately changed my AAdvantage account password. I then checked all of my bank/credit card/venmo/etc. accounts to make sure no suspicious activity; thankfully none. I next called the number in the car rental e-mail to try to head off the rental. Unable to cancel on the website since the rental was less than 24 hours away but I did also send a message through the website marked urgent in order to keep the rental from happening. I also called Payless - the rental car company as opposed to the AAdvantage car rentals vendor - to do the same and they contacted the manager and security at the Salt Lake City location which no one else seemed to be able to do. I am still not sure if the rental was prevented, as it was scheduled for 7AM mountain time which is exactly when the AA fraud department opens and when the rental folks got called.

After doing the above I then contacted AAdvantage customer service who transferred me to the fraud department. I got the direct number noted above. The fraud department said that they should be able to get my miles back and went through a process of securing my account. Here is what happens if you have to go through the process:
1) They freeze your AAdvantage account.
2) They make a new account and AAdvantage number for you and transfer all of the remaining miles from your old account into the new one. There are additional requirements for the new account - the account name for example cannot contain any part of your name or other personal information. It also must be registered to a different e-mail address than your prior account. Most of your information transfers to the new account such as known traveler number, but some you have to add yourself including the security questions and your passport number. Loyalty points and status do not transfer immediately but "should within 24 hours" on which I am still waiting. Flight credits do not transfer but can still be used. Companion certificates I am not sure about and plan to ask in the coming days.
3) They state that the miles that were stolen would be reinstated at some point in the next 30 days. Still waiting on this. Thankfully no plans to redeem miles within that window.

I did ask questions regarding whether my new AAdvantage number would transfer over to various accounts automatically. The Barclays Aviator card will have the number changed automatically. AAdvantage eShopping you have to re-register with your new account (unclear if they can pull information from the old account including old activity and the 20% bonus as a loyalty point award but I am working to find that out). AAdvantage dining you have to call customer service. I have a VIP account with them and hopefully can get this transferred over - also still pending but will update here once I find out for sure. Avis President's Club benefit as a loyalty point award I am not sure about but will be contacting Avis to get that sorted and will update here once I know.

One other thing I thought of was that I had booked a miles redemption for a flight in march with my family; I did notify the fraud department that that booking was legitimate. She made it sound as if I had not told her, it may have been marked as fraudulent - I wonder if it would have been canceled and need to be rebooked, if even still available, and possibly at a higher cost. I am very interested to see if my status benefits transfer over to that booking since my FF number will be changing on it.

Again I will update once I see more things come through in terms of reinstatement of miles and the questions I had above.



Update: I received this e-mail from the security department to my new e-mail associated with the second AAdvantage account:
American Airlines AAdvantage Account Security - Police Report Request (XXXX12345XXXX) Hello xxxx,

****** Please reply to this message, follow directions and do not change
the subject line so we receive your information within the allotted time
frame******


Thank you for contacting AAdvantage® Customer Service regarding the
unauthorized access to your AAdvantage® account. American Airlines®
takes claims of identity theft very seriously, and we investigate each
matter thoroughly to ensure no AAdvantage® policies were violated.

Award disputes reported within 3 months of redemption will be submitted
for investigation, and must include a completed identity theft police
report that you have filed with your local police department. The police
report must include the following:

Date of transaction: 1/xx/2024
Name(s) of suspect(s)/passenger(s): xxxx xxxx
Amount of miles disputed: 330,200
Total value of the miles disputed: $9,741

We must have the completed report. Report numbers will not be accepted,
and American Airlines® cannot request reports on your behalf. We will
need all documents to be submitted to our offices within 30 days from
today. Please reply to this email with your completed police report. The
attachment should not be a web link but rather a PDF file or a
screenshot.

We appreciate your efforts to safeguard the integrity of the AAdvantage®
Program. We look forward to hearing from you.

Thank you for being one of our AAdvantage Executive Platinum® members.

Have a great day!

Regards,

xxxx xxxx
AAdvantage® Customer Service
American Airlines® [email protected] <[email protected]> Fri, Jan 12, 2024 at 2:38 PM Reply-To: [email protected]
To: [email protected]

notquiteaff

Any thoughts on how they got access to your account in the first place? Did you use a guessable password, or one used for another account?