Exec Club account hacked - Avios gone
#31
Join Date: Dec 2001
Posts: 1,034
I’m with you on that. It’s a great product. I also maintain my own personal domain and can use any email address in front of the domain and everything comes into my inbox so I can choose different email addresses for any site if I want to. This also makes it really easy to mark stuff as junk based on the incoming email address.
#32
Join Date: Dec 2013
Location: Near the Beach.
Posts: 202
Whatever your own opinion may be, the standard professional advice for a very long time has been not to use the same password on different sites, yet that is what the OP did. Ignore that advice at your peril, it's there for a reason.
No, it certainly wasn't the OP's fault that the password he used on a particular site was compromised but it absolutely was down to him that he used the same password across multiple sites. That's what ultimately allowed someone to access his BAEC account and use his Avios. If you are certain that's not his responsibility, please say whose it is. I'll give you a hint; it's not BA's.
Do you also, by any chance, use the same password across multiple sites and expect someone else to pick up the pieces when your password gets compromised? Inquiring minds want to know.
No, it certainly wasn't the OP's fault that the password he used on a particular site was compromised but it absolutely was down to him that he used the same password across multiple sites. That's what ultimately allowed someone to access his BAEC account and use his Avios. If you are certain that's not his responsibility, please say whose it is. I'll give you a hint; it's not BA's.
Do you also, by any chance, use the same password across multiple sites and expect someone else to pick up the pieces when your password gets compromised? Inquiring minds want to know.
Here's a clue for you. No matter what all corporations put in their terms of use, those are their policies and not the law. Policies can be challenged and corporations made to eat them. Like BA was made to roll back the policy about discriminatory seating policies (which links are available on the board). So quoting BA policies like it's written in stone demonstrates naivete. OP didn't give out his password. It was breached from other websites. It's not his fault.
He was here for some help and/or reassurance. Not to be told it's his fault.
Last edited by LifeontheBeach; Jul 6, 2020 at 10:09 am
#33
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,226
I have to agree with SarahWest on this. It is basic network security 101 that you should use complex, random, unique passwords and, where possible, leverage MFA. Using separate e-mail addresses for each site is an added layer of security but not everyone has their own domain nor, perhaps, the time or inclination to set up a separate e-mail address for every online vendor. By using a unique password you avoid the situation where a username / password combination harvested from a breach at one site (or guessed - people still continue to use simple, easy to guess passwords) can be used across multiple sites. If I use the same username / password combination across multiple sites then I have only myself to blame for the consequential loss. The hacking of the first site may be outside of my control but the use of the same username / password subsequent to that is, in my view at least, all down to me.
The other concern here isn't simply about usernames and passwords but it's also about all the other personally identifiable information that can be harvested and changed, or used for further - large scale - identity theft and fraud. In the case posted by the OP it was theft of Avios which were then used to buy wine. However, the criminal could easily have acquired other personal data such as home addresses, e-mail addresses, date of birth etc. That can then be used for social engineering elsewhere.
The other concern here isn't simply about usernames and passwords but it's also about all the other personally identifiable information that can be harvested and changed, or used for further - large scale - identity theft and fraud. In the case posted by the OP it was theft of Avios which were then used to buy wine. However, the criminal could easily have acquired other personal data such as home addresses, e-mail addresses, date of birth etc. That can then be used for social engineering elsewhere.
#34
Join Date: Dec 2013
Location: Near the Beach.
Posts: 202
I have to agree with SarahWest on this. It is basic network security 101 that you should use complex, random, unique passwords and, where possible, leverage MFA. Using separate e-mail addresses for each site is an added layer of security but not everyone has their own domain nor, perhaps, the time or inclination to set up a separate e-mail address for every online vendor. By using a unique password you avoid the situation where a username / password combination harvested from a breach at one site (or guessed - people still continue to use simple, easy to guess passwords) can be used across multiple sites. If I use the same username / password combination across multiple sites then I have only myself to blame for the consequential loss. The hacking of the first site may be outside of my control but the use of the same username / password subsequent to that is, in my view at least, all down to me..
My point was that we can't expect ALL people to be so technologically aware. There will be some who are not able to do so for various reasons e.g. time constraints, medical conditions, maturity etc. That should not result in their getting blamed for a breach they didn't initiate.
Last edited by LifeontheBeach; Jul 6, 2020 at 12:11 pm
#35
Join Date: Jan 2012
Location: OC, CA
Programs: AA EXP, 2MM, HH Diamond
Posts: 831
I agree 100% that these precautions need be taken. Apart from strong passwords and separate emails for different sites, specific devices are to be used exclusively for Banking and financial activities and not for browsing online so that those are recognized by the security architecture. I don't trust the password manager sites as those could be breached too and will then give up *every one* of the site/password combinations stored in them.
My point was that we can't expect ALL people to be so technologically aware. There will be some who are not able to do so for various reasons e.g. time constraints, medical conditions, maturity etc. That should not result in their getting blamed for a breach they didn't initiate.
My point was that we can't expect ALL people to be so technologically aware. There will be some who are not able to do so for various reasons e.g. time constraints, medical conditions, maturity etc. That should not result in their getting blamed for a breach they didn't initiate.
#36
Join Date: Jan 2008
Posts: 3,835
This thread has taken a frankly ridiculous direction. Yes, people shouldn’t re-use passwords but expecting people to use site specific email addresses is utterly unrealistic.
We’re talking about the company that had one of the biggest data breaches in UK history, received the biggest fine ever and made Ł3.3bn in profit and still couldn’t be bother to implement 2FA.
The customer is not the problem here.
We’re talking about the company that had one of the biggest data breaches in UK history, received the biggest fine ever and made Ł3.3bn in profit and still couldn’t be bother to implement 2FA.
The customer is not the problem here.
#37
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,600
Even if somebody hacked a password manager site, the passwords are all encrypted, so it wouldn't be any use unless they had the master password. The master password is not stored serverside.