Mar 27, 2015, 9:09 am
Last edit by: corporate-wage-slave
If you are new to this thread, please read this wiki before posting a question.
It's here to summarise what we know so far. It will save you the trouble of skim-reading the whole thread and should only take a minute to read. Thanks!
The very short version is:
If all your BA Avios have vanished, don't panic. They have probably been temporarily frozen by BA, not stolen by hackers.
British Airways have issued an FAQ on the issue:
http://www.britishairways.com/travel...s?p_faqid=5249
Starting on 27 March 2015, a very large number of people have found that their Avios balance has been reset to zero. Their list of transactions shows an "Ex-Gratia" deduction of their entire previous balance. Other people are also reporting they are unable to access their accounts at all, with their BAEC number not being recognised.
As of 17 hrs BST 30 March 2015, some members of FT have seen their Avios returned, as an equal Ex-Gratia credit to their account.
BAEC call centre staff do not seem to have received a thorough briefing and are giving at times contradictory information. However, an email has gone out to some, not all, BAEC members affected by this issue, with the subject "Executive Club Password Change", details here in post 181. At present there is no definitive information about the exact cause, but it's clear that BA believes there has been a serious security breach (or that there was a serious risk of such a breach).
Can I fix it myself?
Not at this stage. Early posts described a two part process but that no longer works, perhaps because there were too many cases. It will be necessary to reset your password if you are affected. After that you can login to your account, but at the moment those affected will still see zero Avios. Tier Points are unaffected by this incident.
Do I need to reset my password?
If you can't get into BA.com then yes. There seems to be two ways to do this:
1) If you received the email in post 181 above, follow the link to generate a new password. Note that you should double check that this is the precise same email shown in the link. There is a facility to view this email in a browser, top right, this is hosted by ed4.net
2) On the front page of BA.com -- when not logged in -- there is a "Forgotten PIN/Password" option. This should send an email to your registered account and from there you can reset your password.
There are, however, many reports of option 2 not working, although it is working for some BAEC members on some occasions. As always, check your spam box. If you can't get it to work, you can telephone the call centre (service centre) and after asking additional questions to verify identity, they can generate the email too.
I haven't received the email but I have been locked out / zero'd, what should I do?
Try to reset your password as above, and you could ring BA to find out if you need to take additional action. However the chances are that at the moment you will need to wait at least a few days until the situation becomes clearer.
I haven't been blocked, do I need to do anything?
No. But if you are worried you can reset your password inside BAEC, just go to My Executive Club / Manage My Account / Update My Personal Information / Login Details. However with so many BAEC members inhibited in making bookings at the moment, now may be a good time to take advantage of unclaimed availability.
Have other Avios partners been hit by this?
Yes, Iberia have been, Avios.com apparently not.
How do I look for or book redemptions?
If you have been zero'd then the Book with Avios or Money tab on the left side of My Executive Club may be blocked. However, you can at least check availability via Executive Club / Reward Flights / Book a Reward Flight. BAEC call centre staff are able to book redemptions for you. Remember to check that any booking fee is waived (hopefully they will do this without prompting). In other cases call centre staff have offered to put a redemption booking on "hold" pending the resolution of this issue. Alternatively if you have an Avios.com account with Avios already available there, then this maybe another way of handling this matter.
Statement of March 28 by AwardWallet.com : https://awardwallet.com/forum/viewtopic.php?f=16&t=6616&sid=28d901e85aafebb62044 609dc1a1ae7b
It's here to summarise what we know so far. It will save you the trouble of skim-reading the whole thread and should only take a minute to read. Thanks!
The very short version is:
If all your BA Avios have vanished, don't panic. They have probably been temporarily frozen by BA, not stolen by hackers.
British Airways have issued an FAQ on the issue:
http://www.britishairways.com/travel...s?p_faqid=5249
Starting on 27 March 2015, a very large number of people have found that their Avios balance has been reset to zero. Their list of transactions shows an "Ex-Gratia" deduction of their entire previous balance. Other people are also reporting they are unable to access their accounts at all, with their BAEC number not being recognised.
As of 17 hrs BST 30 March 2015, some members of FT have seen their Avios returned, as an equal Ex-Gratia credit to their account.
BAEC call centre staff do not seem to have received a thorough briefing and are giving at times contradictory information. However, an email has gone out to some, not all, BAEC members affected by this issue, with the subject "Executive Club Password Change", details here in post 181. At present there is no definitive information about the exact cause, but it's clear that BA believes there has been a serious security breach (or that there was a serious risk of such a breach).
Can I fix it myself?
Not at this stage. Early posts described a two part process but that no longer works, perhaps because there were too many cases. It will be necessary to reset your password if you are affected. After that you can login to your account, but at the moment those affected will still see zero Avios. Tier Points are unaffected by this incident.
Do I need to reset my password?
If you can't get into BA.com then yes. There seems to be two ways to do this:
1) If you received the email in post 181 above, follow the link to generate a new password. Note that you should double check that this is the precise same email shown in the link. There is a facility to view this email in a browser, top right, this is hosted by ed4.net
2) On the front page of BA.com -- when not logged in -- there is a "Forgotten PIN/Password" option. This should send an email to your registered account and from there you can reset your password.
There are, however, many reports of option 2 not working, although it is working for some BAEC members on some occasions. As always, check your spam box. If you can't get it to work, you can telephone the call centre (service centre) and after asking additional questions to verify identity, they can generate the email too.
I haven't received the email but I have been locked out / zero'd, what should I do?
Try to reset your password as above, and you could ring BA to find out if you need to take additional action. However the chances are that at the moment you will need to wait at least a few days until the situation becomes clearer.
I haven't been blocked, do I need to do anything?
No. But if you are worried you can reset your password inside BAEC, just go to My Executive Club / Manage My Account / Update My Personal Information / Login Details. However with so many BAEC members inhibited in making bookings at the moment, now may be a good time to take advantage of unclaimed availability.
Have other Avios partners been hit by this?
Yes, Iberia have been, Avios.com apparently not.
How do I look for or book redemptions?
If you have been zero'd then the Book with Avios or Money tab on the left side of My Executive Club may be blocked. However, you can at least check availability via Executive Club / Reward Flights / Book a Reward Flight. BAEC call centre staff are able to book redemptions for you. Remember to check that any booking fee is waived (hopefully they will do this without prompting). In other cases call centre staff have offered to put a redemption booking on "hold" pending the resolution of this issue. Alternatively if you have an Avios.com account with Avios already available there, then this maybe another way of handling this matter.
Statement of March 28 by AwardWallet.com : https://awardwallet.com/forum/viewtopic.php?f=16&t=6616&sid=28d901e85aafebb62044 609dc1a1ae7b
27 Mar: Large numbers of BAEC accounts being Locked/Zeroed Out/in Audit ('Ex-gratia')
Mar 27, 2015, 11:47 am
#181
Join Date: Jan 2009
Location: Near Edinburgh
Programs: BA Silver
Posts: 9,034
Email has just come through:
The insinuation that I've been lax with my BAEC credentials really annoys me (more than it should), but is typical of the disingenuous nature of BA's communications.
The insinuation that I've been lax with my BAEC credentials really annoys me (more than it should), but is typical of the disingenuous nature of BA's communications.
Mar 27, 2015, 11:53 am
#183
Join Date: Jan 2009
Location: Near Edinburgh
Programs: BA Silver
Posts: 9,034
I'm sure we've had some people who say they've used no other system who have had their accounts locked.
Mar 27, 2015, 11:54 am
#184
Join Date: Nov 2009
Location: London, England
Posts: 366
From talking to BA, seems like 'ex gratia' is temporary measure to suspended the use of Avios.
For me it could only be:
TripIt
BMI credit card
I suspect that '3rd party' actually means one of their 3rd party partners has been compromised... so whilst it's not technically BA's fault, it's not ours either.
Time will tell.
For me it could only be:
TripIt
BMI credit card
I suspect that '3rd party' actually means one of their 3rd party partners has been compromised... so whilst it's not technically BA's fault, it's not ours either.
Time will tell.
Mar 27, 2015, 11:55 am
#185
Join Date: Apr 2008
Programs: BA Silver
Posts: 151
So no access allowed
Requested reset
Received email link
So updated password (same as before just to see if it would allow this)
Account zeroed
Then received email as above.
All in 5 mins
Hope I can reserve my seats for DUB-JFK on 4/4 tomorrow (temporary bronze)
Requested reset
Received email link
So updated password (same as before just to see if it would allow this)
Account zeroed
Then received email as above.
All in 5 mins
Hope I can reserve my seats for DUB-JFK on 4/4 tomorrow (temporary bronze)
Mar 27, 2015, 11:55 am
#186
Join Date: Sep 2004
Location: London
Programs: BA IHG
Posts: 1,370
It's probably not even a hack at all. Someone has just suddenly noticed lots of logins from the awardwallet server and made a knee jerk reaction that they had been hacked.
Mar 27, 2015, 11:56 am
#187
Join Date: Oct 2014
Location: London, UK
Programs: BA Exec Club Gold
Posts: 335
Another data point - strange perhaps
Reset my password earlier & have spoken to gold line - logged back in to see if I'd been restored to find my Country/Language had changed to Spain/English. Not sure if it was like that earlier & I just didn't spot it...
Reset my password earlier & have spoken to gold line - logged back in to see if I'd been restored to find my Country/Language had changed to Spain/English. Not sure if it was like that earlier & I just didn't spot it...
Mar 27, 2015, 11:56 am
#188
Join Date: Sep 2010
Location: Dunoon, Hong Kong & Milton Keynes
Programs: BA Gold
Posts: 87
As a SysAdmin for corporate IT Systems, the password complexity on BA's website is shockingly lax, should really be set to min 8 Chars, Capital Letters, Lower Case, Numbers and Special Characters, and no straight dictionary words (thats asking for issues)
So dont blame BA IT for this.. ps i dont work for BA's IT Team..
https://xkcd.com/936/
Mar 27, 2015, 12:00 pm
#189
Original Member
Join Date: May 1998
Location: Northern England
Posts: 1,531
27 Mar: Large numbers of BAEC accounts being Locked/Zeroed Out/in Audit ('Ex-gratia')
Just received the email. Terrible form of BA to send emails with a link and say "click here to unlock your account and change password". Have they not heard of phishing?
Mar 27, 2015, 12:01 pm
#190
Join Date: Aug 2010
Location: Sheffield, UK
Programs: BA - Silver,Hilton-Diamond, IHG - PlatAmb, GHA - Plat
Posts: 766
Not disagreeing about the lax level of password required for BAs website, but there is nothing wrong with straight dictionary words if used correctly, I.e. Multiple words. Personally hate special characters. Interesting analysis of common 'strong' passwords:
https://xkcd.com/936/
https://xkcd.com/936/
I agree if used correctly dictionary words are fine, but most people don't unfortunately, and it would be interesting to know how many use password or P4ssw0rd etc.
Mar 27, 2015, 12:02 pm
#192
Join Date: Mar 2015
Posts: 1
I've never used (or heard of) Awardwallet and I received the email from BA to change my password and my Avios are currently showing as 0 - there is a transaction labelled "Ex-Gratia" which I hope is just BA protecting my points...
Mar 27, 2015, 12:04 pm
#194
Join Date: Oct 2008
Location: Isle of Skye, Scotland
Programs: BA gold
Posts: 3,902
It really does read like a phishing email and if there was a compromised access, for a layman, who's to say it isn't a phishing email?
Mar 27, 2015, 12:05 pm
#195
Join Date: Feb 2015
Location: NYC/London
Programs: BAEC: Gold
Posts: 20
so er.…I got this too.
I don't use any Apps other than the mobile app (and occasionally) the mobile website, and the ba.com website.
I don't share passwords with other services either.
The email from BA reads like a phishing email too.
I seem to remember that BA's mobile site used to be a horrible thing powered by usablenet.com
In fact their old mobile site is still up on https://mobile.usablenet.com/mt/www...._gb?eId=106011
I suspect may be the thing which has been compromised?
I don't use any Apps other than the mobile app (and occasionally) the mobile website, and the ba.com website.
I don't share passwords with other services either.
The email from BA reads like a phishing email too.
I seem to remember that BA's mobile site used to be a horrible thing powered by usablenet.com
In fact their old mobile site is still up on https://mobile.usablenet.com/mt/www...._gb?eId=106011
I suspect may be the thing which has been compromised?