Last edit by: Prospero
This thread is dedicated to issues around American Airlines AAdvantage accounts being invaded, taken over or compromised resulting in theft of awards, miles, upgrades and other instruments - and related issues.
For issues about account freezes or closures, airline accusations of fraud against the AAdvantage programm and the like please see: Account audit / fraud: award / miles / SWU / VIP sale, barter, etc (consolidated).
If you find your account has been breached or have unexplained activity such as awards you did not arrange, contact AA immediately to protect and gain control over your account and to be made whole.
To help protect your account, be sure
If your email information is correct in aa.com, changes to your account should be sent to you as follows (even if someone changes your email address, though it's of no help if someone pirates your email account):
For issues about account freezes or closures, airline accusations of fraud against the AAdvantage programm and the like please see: Account audit / fraud: award / miles / SWU / VIP sale, barter, etc (consolidated).
If you find your account has been breached or have unexplained activity such as awards you did not arrange, contact AA immediately to protect and gain control over your account and to be made whole.
To help protect your account, be sure
- Have a strong, protected and secure password
- check your account periodically
- be aware and keep track of your transactions
- control or destroy documents such as boarding passes
- use antivirus software- if your personal computer is hacked they can gain control of your AA account
- Be very wary of logging into your account on public computers, like at internet cafés or the hotel business center, where keystroke loggers could be installed
If your email information is correct in aa.com, changes to your account should be sent to you as follows (even if someone changes your email address, though it's of no help if someone pirates your email account):
Dear JDiver,
Thanks for visiting AA.com. This email confirms that your account has been updated as follows.
Your contact information has been updated, but is not included in this e-mail for the security of your account.
If you did not change your contact information or if you have any concerns about your account, please contact aa.com Web Services.
If you have unsubscribed to one of our email products, we will remove your address from our mailing list as soon as possible. Please be aware that you may continue to receive emails for up to 10 business days.
If you have subscribed to AA email products and are not receiving them, your Internet Service Provider (ISP) may use filters to prevent unwanted emails from reaching your inbox. Sometimes, these filters also block messages you want to receive. In most cases, adding us to your list of trusted senders will solve this issue. In AOL, select "Add Address"; in Yahoo! Mail, Outlook or Outlook Express select "Add To Address Book"; or Hotmail or MSN, select "Save Address(es)". If you need further assistance, contact your ISP's technical support department and ask how to "whitelist" emails from AA.
AA.com
American Airlines
Thanks for visiting AA.com. This email confirms that your account has been updated as follows.
Your contact information has been updated, but is not included in this e-mail for the security of your account.
If you did not change your contact information or if you have any concerns about your account, please contact aa.com Web Services.
If you have unsubscribed to one of our email products, we will remove your address from our mailing list as soon as possible. Please be aware that you may continue to receive emails for up to 10 business days.
If you have subscribed to AA email products and are not receiving them, your Internet Service Provider (ISP) may use filters to prevent unwanted emails from reaching your inbox. Sometimes, these filters also block messages you want to receive. In most cases, adding us to your list of trusted senders will solve this issue. In AOL, select "Add Address"; in Yahoo! Mail, Outlook or Outlook Express select "Add To Address Book"; or Hotmail or MSN, select "Save Address(es)". If you need further assistance, contact your ISP's technical support department and ask how to "whitelist" emails from AA.
AA.com
American Airlines
Account fraud / breach: my account compromised, awards taken, etc.
#646
Join Date: Dec 2009
Location: Los Angeles& Telluride
Programs: UA1K, 1MM,AA Exec. Platinum, Global Entry, Nexus
Posts: 731
I wish I knew. I don't have easy passwords, but I also don't have 32 character passwords. I use 1 Password. And generally it does the job. Waiting for Passkeys to take over. that will be a game changer.
#647
Join Date: Jun 2002
Location: SFO/JFK/MGA
Programs: UA 1P MM, AA-PP, AS, DL, HH G, SPG Gold, TA nada
Posts: 2,043
Same question for both of you: do you know or think you know how the bad guys got access to the accounts? Did you follow standard best practice and have a long, randomly generated/complex password that is not used for any other login/account anywhere else?
I am not asking to shift blame - it would be valuable for the community to understand what ways the bad guys use to breach accounts, and perhaps useful to you to understand how to prevent this from happening again or elsewhere.
I am not asking to shift blame - it would be valuable for the community to understand what ways the bad guys use to breach accounts, and perhaps useful to you to understand how to prevent this from happening again or elsewhere.
#648
Join Date: Aug 2004
Programs: AA (EP), Hilton (Diamond), Marriott Bonvoy (Titanium)
Posts: 8,937
My understanding is that it's pretty rare these days for commercial attackers to brute-force a password or even hack accounts one by one. Too much work, only done for especially high-value targets. Of course use a strong, random password, just because someone (an ex, a pissed-off colleague, a rando from an online forum) might try to hack your account for personal reasons. It's especially important to use a password manager such as 1Password so that you never reuse a password. Speaking generally (not AA-specific), most account takeovers stem from credential breaches where vast numbers of email address and password combinations are obtained. (There's a thriving and diverse capitalistic economy for such thefts, where some people specialize in malware that penetrates systems, others rent these tools to create botnets, others rent the botnets to penetrate sites and extract data, others buy the data to take over accounts, others buy taken over accounts to extract miles, points, etc., others sell those miles/points through supposed discount air, hotel, car sites, etc.)
Standard two-factor authentication via SMS or email is pretty weak. Both can be intercepted by attackers. It's also very annoying, as people may not have immediate access to either, for various reasons. Time-based one-time passwords (TOTP) is a better approach, as it's widely supported by apps on mobile devices and applications on laptops and desktops (e.g., 1Password supports it).
At a minimum, AA should disallow logging in with one's AAdvantage number after creating a login ID. The whole point of a login ID is that it's a secret, unlike AAdvantage numbers. AA allows creating login IDs, but stupidly continues allowing logging in with the AAdvantage number even after creating a login ID.
Making login IDs required for logging in once created, and using TOTP would significantly reduce account takeovers.
Standard two-factor authentication via SMS or email is pretty weak. Both can be intercepted by attackers. It's also very annoying, as people may not have immediate access to either, for various reasons. Time-based one-time passwords (TOTP) is a better approach, as it's widely supported by apps on mobile devices and applications on laptops and desktops (e.g., 1Password supports it).
At a minimum, AA should disallow logging in with one's AAdvantage number after creating a login ID. The whole point of a login ID is that it's a secret, unlike AAdvantage numbers. AA allows creating login IDs, but stupidly continues allowing logging in with the AAdvantage number even after creating a login ID.
Making login IDs required for logging in once created, and using TOTP would significantly reduce account takeovers.
Last edited by anabolism; Mar 26, 2024 at 4:53 pm Reason: fix typo ("its" instead of "it's")
#649
Join Date: Aug 2004
Programs: AA (EP), Hilton (Diamond), Marriott Bonvoy (Titanium)
Posts: 8,937
Interesting that they insisted on that, because even with a login ID, anyone can still login to your account with your AAdvantage number. That's such a stupid move on AA's part.
#650
Join Date: Nov 2007
Location: Los Angeles
Programs: AA LT Gold
Posts: 3,646
This thread reminded me of checking my miles and changing my password.
And then I remembered I only have 5000+ miles. So I didn't bother. Lol.
The best standard practice to me is NOT to seat on half a million miles waiting for the fabled F award on Qatar.
So my best standard practice is to not accumulate miles and use them ASAP. Even if at a crappy redemption value.
And then I remembered I only have 5000+ miles. So I didn't bother. Lol.
The best standard practice to me is NOT to seat on half a million miles waiting for the fabled F award on Qatar.
So my best standard practice is to not accumulate miles and use them ASAP. Even if at a crappy redemption value.
#651
Join Date: Aug 2004
Programs: AA (EP), Hilton (Diamond), Marriott Bonvoy (Titanium)
Posts: 8,937
Because of the email flood technique, I created a rule (filter) for my email that checks for email to my AA email address where the subject contains "password" or "email" or "changed" and pops up alerts with sound. That way, any such email will be automatically detected despite a flood of irrelevant emails.
#652
Join Date: Aug 2004
Programs: AA (EP), Hilton (Diamond), Marriott Bonvoy (Titanium)
Posts: 8,937
That really sucks.
This is causing you immediate harm, so I'd suggest trying to fix this. Perhaps call the AA security department at (866) 415-5363. You could also try sending a Twitter Direct Message (not a public tweet) to AA (@AmericanAir), listing both your old and new account numbers, and asking if they can expedite the transfer of status from your old to your new.
Ask the Twitter DM team to help with this as well. They should be able to retrieve it.
As others have suggested, you may be able to file the report online, and get a copy of it shortly afterward. Others have posted that you can also file an online Internet Crime Complaint Center report at https://www.ic3.gov/
This is causing you immediate harm, so I'd suggest trying to fix this. Perhaps call the AA security department at (866) 415-5363. You could also try sending a Twitter Direct Message (not a public tweet) to AA (@AmericanAir), listing both your old and new account numbers, and asking if they can expedite the transfer of status from your old to your new.
Ask the Twitter DM team to help with this as well. They should be able to retrieve it.
#653
Join Date: Mar 2008
Posts: 1,536
My understanding is that it's pretty rare these days for commercial attackers to brute-force a password or even hack accounts one by one. Too much work, only done for especially high-value targets. Of course use a strong, random password, just because someone (an ex, a pissed-off colleague, a rando from an online forum) might try to hack your account for personal reasons. It's especially important to use a password manager such as 1Password so that you never reuse a password. Speaking generally (not AA-specific), most account takeovers stem from credential breaches where vast numbers of email address and password combinations are obtained. (There's a thriving and diverse capitalistic economy for such thefts, where some people specialize in malware that penetrates systems, others rent these tools to create botnets, others rent the botnets to penetrate sites and extract data, others buy the data to take over accounts, others buy taken over accounts to extract miles, points, etc., others sell those miles/points through supposed discount air, hotel, car sites, etc.)
Standard two-factor authentication via SMS or email is pretty weak. Both can be intercepted by attackers. It's also very annoying, as people may not have immediate access to either, for various reasons. Time-based one-time passwords (TOTP) is a better approach, as it's widely supported by apps on mobile devices and applications on laptops and desktops (e.g., 1Password supports it).
At a minimum, AA should disallow logging in with one's AAdvantage number after creating a login ID. The whole point of a login ID is that it's a secret, unlike AAdvantage numbers. AA allows creating login IDs, but stupidly continues allowing logging in with the AAdvantage number even after creating a login ID.
Making login IDs required for logging in once created, and using TOTP would significantly reduce account takeovers.
Standard two-factor authentication via SMS or email is pretty weak. Both can be intercepted by attackers. It's also very annoying, as people may not have immediate access to either, for various reasons. Time-based one-time passwords (TOTP) is a better approach, as it's widely supported by apps on mobile devices and applications on laptops and desktops (e.g., 1Password supports it).
At a minimum, AA should disallow logging in with one's AAdvantage number after creating a login ID. The whole point of a login ID is that it's a secret, unlike AAdvantage numbers. AA allows creating login IDs, but stupidly continues allowing logging in with the AAdvantage number even after creating a login ID.
Making login IDs required for logging in once created, and using TOTP would significantly reduce account takeovers.