Skymiles account hacked, points drained
#16
Join Date: Apr 2002
Location: Atlanta Metro
Programs: DL , AC, BA, Hhonors Diamond, IH Platinum, Bonvoy Gold, Hyatt Discoverist
Posts: 2,350
You do understand the same IT folks who protect DL SkyMiles are the folks who run the SkyMiles booking page? I am not shocked at all. #LowestCostSubContractors
Gotta get that uncalled-for snark out of your system, I guess.
#17
Join Date: Apr 2012
Location: California
Programs: DeltaSilver/MM, Marriott Platinum
Posts: 494
I always wonder when people have to sign into websites, especially less reputable ones, if the passwords are ever sold or used elsewhere as MANY people use the same email/password combo for everything from ESPN.com, Facebook, Twitter, Online Banking, Delta.com, Flyertalk, etc.
#18
FlyerTalk Evangelist
Join Date: Jul 2003
Posts: 23,021
You are right about that. However, Delta should not be storing passwords! They should be storing hashes (at least MDA, but preferrably SHA-512) of the passwords. That way, once the password is entered, it is hashed and compared with the stored hash. Of course, MD5 can be cracked in hours using a powerful enough cluster.
#19
Join Date: Apr 2011
Posts: 3,394
You are right about that. However, Delta should not be storing passwords! They should be storing hashes (at least MDA, but preferrably SHA-512) of the passwords. That way, once the password is entered, it is hashed and compared with the stored hash. Of course, MD5 can be cracked in hours using a powerful enough cluster.
Who said anything about DL not storing passwords in a hashed form? The point was that by sharing passwords across multiple accounts, it only takes one website to store passwords in the clear or with a weak hash to potentially have your password compromised which then allows the attacker to gain access to any site where you use that password (no matter how securely it is stored on that site).
#20
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
Who said anything about DL not storing passwords in a hashed form? The point was that by sharing passwords across multiple accounts, it only takes one website to store passwords in the clear or with a weak hash to potentially have your password compromised which then allows the attacker to gain access to any site where you use that password (no matter how securely it is stored on that site).
How many glance at the URL bar of their browser before entering an important password to insure they are on the correct site with a secure connection? My guess is very few.
I have to admit I treat dl.com as a mid-level securoty issue. Not the same as a bank/broker account. But I don;t have as many miles as some of you lucky guys :-)
#21
Join Date: Jan 2008
Location: Plum Nelly
Programs: Marriott Bonvoy, Delta Sky Miles, and S&H Green Stamps
Posts: 636
#22
Original Poster
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,434
Happy that you got your miles back quickly. When I saw your post, I went to log in to see if mine was back. Well, my account is now "suspended due to a security risk." Sigh. I'm on the phone, waiting my turn in line to see what the Hell is going on.
#23
Original Poster
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,434
QUICK UPDATE: I called the number referenced to talk about my lockout. I was told that they must investigate, and WHEN CONVINCED IT WAS FRAUD, they would contact me about restoring the account. Then, they said it could take up to 3-4 weeks!!!! Why am I taking that long when others were done overnight??? Now, I am getting pissed off...
Last edited by slidergirl; Oct 12, 2018 at 11:27 am
#24
FlyerTalk Evangelist
Join Date: Jul 2003
Posts: 23,021
For the previous poster, it appears the activity was automatically detected (rather than any action by poster) and reversed. More than likely, no actual goods or services were provided. I imagine it gets trickier if it wasn't auto-detected and actual goods/services were provided in exchange for the miles.
#25
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
LBJ clarified my point. And I think I saw somewhere that the most common passwords are literally 12345, and password. We live in a world where everyone SHOULD be hyper aware of their online info but only a very small percentage actually are. And it only takes one leak from a site, and so many things can be compromised.
#26
Join Date: Sep 2016
Location: HSV
Programs: Bellevue Lifetime Premiere Mega Elite Supreme
Posts: 1,509
#27
Join Date: Jul 2015
Location: SEA
Programs: Hilton/Marriott Gold, Accor Silver
Posts: 2,036
Somebody has to be a complete idiot or super naive to use the same credentials they use on facebook, twiiter, flyertalk etc as they do for online banking. And if one has any decent amount of miles, same with dl.com.
Get yourself a throwaway username/password for all the sites you think do not need an actual signon. And for me that includes this site.
Get yourself a throwaway username/password for all the sites you think do not need an actual signon. And for me that includes this site.
#28
FlyerTalk Evangelist
Join Date: Jun 2015
Location: Back in Reds Country (DAY/CVG). Previously: SEA & SAT.
Programs: DL PM 1MM, AA PLAT, UA Silver, Marriott Bonvoy Titanium
Posts: 10,334
#29
Join Date: Sep 2016
Programs: DL PM, Marriott, IHG
Posts: 193
I treat Delta.com as a high-level security issue. Not only do they have payment information, I also rely on Delta for business travel. A compromise of my login credential has the potential to severely disrupt my life. I haven't checked recently, but it would be outstanding if Delta used time-based second factor authentication codes without SMS codes (which is horribly insecure).
#30
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Yes, it would be really nice if DL implemented U2F or some other time-based OTP schemes, but I don't think we'll see it anytime soon.
I don't really know how much of a disruption a compromise would be. If my individual login is hacked, I don't think the attacker would be able to recover the details of my stored payment methods. I'd probably order new cards but I can have those in 24 hours and I never register all of my cards at any one site. Worst case is they drain my skymiles and maybe buy some tickets, both of which should be extremely easy to reverse.
I don't really know how much of a disruption a compromise would be. If my individual login is hacked, I don't think the attacker would be able to recover the details of my stored payment methods. I'd probably order new cards but I can have those in 24 hours and I never register all of my cards at any one site. Worst case is they drain my skymiles and maybe buy some tickets, both of which should be extremely easy to reverse.