SITA [airline IT provider] data breach, some BAEC data compromised
#61
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
A code sent to your registered phone or email address (you can select which) which you will be asked to enter.
My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.
Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).
Seamless it was not....
My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.
Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).
Seamless it was not....
Last edited by BertieBadger; Mar 5, 2021 at 12:59 pm
#62
Join Date: Nov 2018
Location: BER
Programs: BA GGL, Hilton Diamond
Posts: 1,842
login fails because "Die von Ihnen angegebene Mitgliedsnummer ist bei uns nicht registriert. Bitte korrigieren Sie Ihre Angaben entsprechend." - something like "the exec number you have entered is not registered. Please correct your entry."
edit: its
edit: its
- We are not able to recognise the membership number that you have supplied. Please check and re-enter.
Last edited by Nephoi; Mar 5, 2021 at 1:01 pm
#63
Join Date: Jun 2012
Programs: IHG Spire Ambassador, Club Carlson Gold, HHonors Gold, Best Western Diamond Select, BA Blue
Posts: 1,335
A code sent to your registered phone or email address (you can select which) which you will be asked to enter.
My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.
Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).
Seamless it was not....
My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.
Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).
Seamless it was not....
#64
Community Director
Join Date: Jan 2009
Location: Norwich, UK
Programs: A3*G, BA Gold, BD Gold (in memoriam), IHG Diamond Ambassador
Posts: 8,448
Noting the possible compromise of seating preferences, is it too much to hope that the hackers might make a better job of it than BA’s IT usually manages with mine?
(No e-mail for me yet, which suggests they’re batching and that the password/access problem might persist for a while as each tranche of notifications gets released.)
(No e-mail for me yet, which suggests they’re batching and that the password/access problem might persist for a while as each tranche of notifications gets released.)
#65
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
It appears to be something of a mess at the moment tbh, it was only after I logged in with my new password that I was able to select how to receive the verification code which you have to explicitly action (i.e. press 'Send') , if you aren't reaching that step not sure what to suggest.
I logged in with email address rather than membership number, that seems to be more likely to succeed based on comments.
#68
Join Date: May 2008
Location: Berkshire
Programs: BA Lifetime Gold, GGL/CCR, Hilton Diamond, Accor Plat, Pucci Fan Club
Posts: 1,778
Check your spam folder if you havent had the email. Mine was in there.
Changed password. Still wouldnt log me in. Wont accept my BAEC number.
Used my email address and new password. That then took me to the verification stage. Verification PIN number received immediately by email.
Then prompted to change password again. So used new password and then changed back to old password (very complicated PW only used on BA). That worked surprisingly (will probably change it again to be safe).
Still cant logon using my BAEC number ... they (BA) seem to have stopped this option I think as it just says the BAEC number isnt recognised. Assume BA are worried about the membership numbers being compromised.
Anyway logged in now using email address and new (old) password. What a monumental mess.
Changed password. Still wouldnt log me in. Wont accept my BAEC number.
Used my email address and new password. That then took me to the verification stage. Verification PIN number received immediately by email.
Then prompted to change password again. So used new password and then changed back to old password (very complicated PW only used on BA). That worked surprisingly (will probably change it again to be safe).
Still cant logon using my BAEC number ... they (BA) seem to have stopped this option I think as it just says the BAEC number isnt recognised. Assume BA are worried about the membership numbers being compromised.
Anyway logged in now using email address and new (old) password. What a monumental mess.
#69
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
As I understand it, they've got hold of the email addresses used by people's BA accounts.
Now, many people practice poor password hygiene, that is they will register with every site as e.g.
[email protected] / Password123
or whatever. Now there is no leak of the BA password here, but if miscreants can match up that email address that they do have to a password from *another* leak (e.g. from a site that may not even know it has been compromised) then together they have access to the BA account.
Yes, it's a pain for people who do manage passwords correctly, but they seem to have opted to inconvenience them to avoid problems with people who follow the poorer practices above
#70
Join Date: May 2014
Posts: 7,168
SITA provides the backbone to a lot of airline systems. Most of baggage messaging, for instance, uses SITA infrastructure; a lot of the CUTE sets in airports worldwide, where airlines share hardware, run on SITA. And there's more stuff. They even have a large part to play in biometric passport scanners. If BA and other airlines were rail franchises, SITA would be a bit like Network Rail; it's better to be safe and suggest a password reset than being sorry.
#71
Join Date: Sep 2012
Location: NW London and NW Sydney
Programs: BA Diamond, Hilton Bronze, A3 Diamond, IHG *G
Posts: 6,321
Right, I changed my password 3 times unsuccessfully, then thought of coming here. Using email address worked but can only log in with email address.
I manage all 7 accounts in my household. With the second account I went to "forgotten password" and entered the email as the Login ID, and after changing the password once I was immediately logged in, no double verification.
Now to do the next 5 accounts...
I manage all 7 accounts in my household. With the second account I went to "forgotten password" and entered the email as the Login ID, and after changing the password once I was immediately logged in, no double verification.
Now to do the next 5 accounts...
#72
Join Date: Aug 2009
Posts: 645
Managed to log in using email address rather than membership number after changing password twice. Presented with the two factor authorisation page, chose the email option as there wasnt a phone option offered and got an error saying the system was down and couldnt generate a code. Great work BA.
#73
Join Date: Mar 2020
Programs: British Airways GGL/CCR, Hilton Diamond & Marriott Gold
Posts: 2,606
This is simple risk mitigation. If you force everyone to reset your password, then in theory this eliminates any risk for BA. the SITA hack may evolve over time as they know more. By forcing a new password, they are forcing the protection that this bring upon you. They can then point to this as a measure if anything were to happen.
#74
Join Date: Aug 2006
Location: Switzerland
Posts: 1,568
The data theft is a list of valid membership numbers and associated full name. Although I use a userid/password to log in, it appears many use their membership number. So, the hackers could use your name to go through various hacker databases and see if they have your password anywhere for any other website that might have been hacked over the years. Then, they will use that password and your membership ID to try to access your BA account.
Due to this, BA have asked you to change your password. In my opinion, I'd only bother doing this if you have used your current BA password anywhere else. As my BA password is unique, I've simply deleted the email and plan to do nothing. This has the added advantage in that it's easy
It also seems that BA have locked accounts that use a membership number to log in, so you'll need to use your user-id. I don't know what happens if you have never created a user-id, maybe it's your email address?
#75
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,216
I know others are moaning about having to change their passwords but I know that I haven't changed my BAEC password in a very long time. From a security best practice point of view it's probably time I did, and if it encourages / compels others to do the same then it's not a bad thing.