Executive Club [Account] Hacked... what's next?
 

I've done the obvious (ie. call BA, account blocked).

Has anyone else had this happen to them? If so - is this process quite straight forward and pain free?

sorry to hear. Believe your account may get put into audit and won't be able to make redemptions until resolved. Out of interest was there a redemption made? Seem to recall a Russian angle to many previous reports

Yes, a redemption was made (I won't disclose any details for now). I'm not in a rush to make any redemptions so that's fine.

Just be prepared to be patient. This has been reported here a few times. It may take a few weeks, but it will get sorted eventually.

I'd recommend changing your passwords, especially any that may have been the same or similar to your BAEC account. Always a good idea to change your email password as well, just in case. Hope this is resolved quickly for you.

My account was hacked a couple of years ago with a few Russian redemptions made. I had to make a few calls to BA before someone actually took ownership and did something about it. One of the booked flights was less than T-24...

It took about 6 weeks 33 days for the audit to take place. BA did say I could still make redemptions during that time but they had to be made by phone. (I don't know how true or easy that would have been as I didn't need to make any.) You can still earn avios during the audit...they are just debited out a day or so after they arrive. And all returned once the audit is complete.

Got done in February for over 700k Avios on a hotel booking in Budapest with some very dodgy Russian names on the reservation. Took 2 months to sort out got the Avios back but strangely the hotel booking didnt get cancelled! Seems to happen alot and the password was very complicated so hard to think it was compromised...

Definitely change the email password and also any accounts that might be discoverable from your email account. You'll need to watch everything carefully for a while.

Did you ever get an email notification that the password on your account was changed or were the scammers happy to use the passwords you selected?

+1 would be curious to know as well...and good luck on this rather annoying journey

No. (Luckily?) My passwords for my email, Facebook etc are two-factor authentication (@BA: Maybe you could introduce this?) and they haven't touched anything else yet.

To everyone else: thanks for sharing your experiences. At least I have a time scale of how things would progress. When I called them up, they said 48 hours which I thought was too good to be true....

It happened to me. Hacker changed the account email address so I couldn't see anything. Called immediately.

Took a lifetime to get resolved, and when it was unlocked, I had to call again because the hacker changed the country to Norway and I couldn't change it back online.

Very friendly call centre agent remarked 'it's amazing what hackers can do nowadays'. I mentioned how it's not particularly difficult when something so valuable doesn't have two-factor authorisation.

I'm sure two-factor will come at some point around 2030. We'll get TSA-Precheck around that time, too.

While I'd appreciate two factor - I'd really want it either a) with a good remember me function as per google's gmail or b) only at the point of purchase.

I login too often to be confronted by 'enter this value from sms/authenticator' every single time.

However, due to PCI compliance - I'm pretty sure a) couldn't be done without also doing b) anyway.

Not sure why PCI compliance would come into play when one increases security. Doesn't that mostly have to do with how you manage credit card information?

Anyhow, there are some 2FA solutions that are better than others. World of Warcraft has one of the best ones around if you ask me - it remembers you most of the time but when you do need to log in, you just have to click a button in the app on you phone to confirm your identity - no need to type any codes. Not sure why noone else has done that, but that is how you want it to work and I really wish BA would give us the option to use 2FA.

Do you have a theory as to how the hackers got in to your account? For example is the password for BAEC used elsewhere? I agree that two factor is a better way to go.

Happened about 2 months ago - email change, which I was alerted to by email, but wanted to view the email in Outlook, rather than via via a mobile device to check that the links in it were valid...
Hack looks like they combined avios, and made hotel redemption to empty the account out.
Took just under 2 weeks to fully resolve and get accounts back under control.

If its an email change be really clear with them that it is an unauthorised change, and that you aren't in control of the email account its been changed to (and that therefore the change email form route is not appropriate).
Only then did it get escalated the following day when I could see that it had been emptied, and the account locked... And between the email reset being requested, the hotel redemption had been made too!

All points refunded, but only after going through "audit" process, and being crystal clear that family account members had not made the bookings.
The interesting question is what checks are made against the data/information supplied during the "change email address" form. Do they just need account number/email address to effect the change?