BertieBadger

That's the nub of it. On their own the details lost wouldn't allow access, but if they can be matched up to other stolen details (and remember, you might not even know they've been stolen) that do include passwords then anyone who used the same password is compromised.

That's why it's important to use unique passwords (as I'm sure you appreciate but others may not), and why the BA email asks people to use a password they've never used elsewhere.

rumbataz

I have tried my membership number (which is what I normally use) and my email address. I don't know about having a user ID. My membership number was recognised, and I managed to change my password, It directed me to go to the login page, but I was unable to log in. I did not receive any verification code,

When I tried to use my email address to change my password, it did not recognise my email address.

rockflyertalk

Excuse me! How did you know my password?

To be fair they can have my account, we can’t fly anywhere. I doubt the hackers will want to pay £1700 and spend 2 weeks at the Heathrow Best Western either!

London Dude

London Dude

BREAKING: At least 30,000 U.S. organizations have been newly hacked through an exploit in Microsoft Exchange server, Krebs reports. (via
@EamonJavers
)

Chris_G

Same here...Chris

tedmak

I have had the same issue after it told me my password was changed.
This is an improvement on the response from the last hack where I heard from my credit card company that BA had been hacked, but it is not good that I can't access my account.
I actually want to make a booking but cant see when my other bookings are to avoid a conflict.

Chris_G

Use your email, not your BA account number...then it works

BertieBadger

Stick a 4 on the end, no one will guess that.

I'd guess most account fraud takes the form of 'selling' avios from hacked accounts to third parties.

angeloedades

I am surprised no one has posted how much avios as compo they got for this.

FlyingScientist

Login with

membership number: Nope
e-mail: No chance
username: Welcome back

I have not used my "username" for at least a decade, and currently it provides the only accepted entry.

happyintheair

I'm the OP, I just wanted to be a helpful FT-er and thought the mail was interesting enough to share.
I have more avios than I can spend at the moment (who doesn't?) and assumed no fault on BA's side, but the system changes their mail requested/ demanded, and how their systems then dealt with those changes are.. not great.

Stoat

Am I the only one that wants to wring the neck of the idiot(s) who set this debacle of a password reset up for BA.

...or is that a queue....

RG1X

Ugh... muppets. My password was perfectly secure, thanks.

Feel free to let me set up 2FA any time soon though.

El_Duderito

For those that are wondering why only a specific subset of data appears to be affected, but why airlines want you to change your password anyway here's my theory using random airlines.

Imagine you are at BKK airport checking in for a Thai (TG) flight. You have luggage and a Swiss (LX) Miles&More card with Gold status. You want to use the Gold benefit.
How can TG check whether your LX status is current and they should grant you Star Gold benefits like free luggage?
There has to be an API and there has to be a provider for that. This COULD be SITA.
TG swipes the LX card and uses the name + airline frequent flyer number (e.g. El_Duderito, LX 2220 1234 5678 123) to dip into the SITA system to get an answer along the lines of 'does not exist', 'has Star Silver' or 'has Star Gold'. SITA has to store that information somewhere (e.g. get it pushed by all participating airlines or query through to the actual airline).
More importantly TG will most likely cache the data somewhere since they can expect to use it again while the pax is passing through the airport: during the check-in process to print status on the boarding pass, for fast track checks, for lounge access, .. lots of cases.

If this is the use case I believe the airline emails claiming that only this data was leaked. LH has absolutely no interest to provide fine-grained information beyond the absolute minimum. Why should they tell their competition that a customer is a LX HON, where he lives or what is CIV equivalent is?

The problem is that armed with a list of current names and frequent flyer numbers you can cause quite some damage. Brute force attacks on other systems and APIs are much more effective if you don't have to search the whole number range for the frequent flyer numbers but only focus on those that a) are known to be valid and b) have Gold status.

As an attacker what would I do? Try to find an API that provides you with all PNRs attached to a specific frequent flyer number/name combination.
Don't believe that they exist? They unfortunately do. I personally found, reported and had a major issue fixed last year. The bug fix included software updates/config changes on multiple websites and could not just be pushed by the software provider.
Don't believe these issues exist today? I won't name the airline, but even today you can look up reservations and check in using a name + frequent flyer combination.
If you cannot find one that looks up all reservations try to check in using a frequent flyer number on a website.

In a non-public document I've shown the full escalation from a random frequent flyer number all the way to getting personal information including known traveler numbers, visa information, addresses and all those lovely ticket remarks.
I can understand that airlines are nervous.
Btw: why does BA include information like status, tier points and Avios in your account in the notification email? Try resetting your password and check the header of that mail. Why does it tell you your status, tier points and Avios in the account?