Mandatory password reset

Old Oct 25, 19, 6:57 pm
  #1  
Original Poster
 
Join Date: Jan 2008
Programs: WN A-List, Hertz 5*, Bonvoy Gold
Posts: 3,600
Mandatory password reset

My RR password, as well as that of an associate, did not work this afternoon, though passwords of several other RR accounts worked, without any issues. A couple of hours later, this email message was received:

Important information about your Rapid Rewards® online account

Dear Xxxxx,

The security of your account information is a top priority for Southwest Airlines®. It appears that your account may have been accessed without your consent. As a result, we have deactivated your current password to protect your account, and you will need to reset your password.
Calling WN, the agent did not know about any issues; then, she checked her personal account, only to have the same problem and email message. Her Help Desk knew nothing, but was passing the inquiry on to Corporate. In the meantime, I was directed to change passwords. At this point, they don't know if it's an IT glitch, or if there is actually a legitimate reason for a security concern.
mke9499 is offline  
Old Oct 25, 19, 7:07 pm
  #2  
 
Join Date: Aug 2003
Location: Henderson, NV, USA
Programs: Hilton Diamond; Hertz PC; Marriott Lifetime Gold
Posts: 79
Happened to me and several colleagues - sounds like something went haywire with their system.
GVR Bill is offline  
Old Oct 25, 19, 7:08 pm
  #3  
 
Join Date: Jan 2010
Posts: 1,128
I can still sign in with current password
dmbolp is offline  
Old Oct 25, 19, 7:10 pm
  #4  
 
Join Date: Feb 2004
Location: USA
Programs: Frontier 100K, AC SE100K, BA Gold, WN A-/CP, Hyatt Globalist
Posts: 3,754
Same thing here on two accounts, and I could not cancel flights as it needed a RR login. I was in the air with no voice dialing capacity.

One account allowed a PW change yesterday, the other did not.
expert7700 is online now  
Old Oct 26, 19, 2:02 pm
  #5  
 
Join Date: Mar 2011
Posts: 5,572
My password was rejected on desktop and mobile website beginning Thursday night, despite being correct. Eventually I was locked out. I could still access my account via the app, which uses fingerprint for login. I didn't see any unauthorized access, so I reached out via Twitter to see if login could be reset without changing my password and was told that it would do so automatically after 24 hours from the initial lockout. It didn't. (The copy/paste reply also suggested that I had forgot my password, which was annoying.) Then I received the email referenced above, so I reset my password. Still no unauthorized access, but it does appear that this was either a breach or some kind of larger glitch. In further texts with the Twitter rep I suggested Southwest consider two-factor authentication, and was told that, no promises but they're looking into it -- for what that's worth.
ursine1 is offline  
Old Oct 26, 19, 5:11 pm
  #6  
 
Join Date: Jun 2019
Programs: Marriott Titanium; WN A-list; UA Silver
Posts: 230
Same here.
nmpls is offline  
Old Oct 26, 19, 5:19 pm
  #7  
 
Join Date: Jan 2010
Posts: 1,128
Able to log into all 4 of the accounts I manage: Mine, Wife, Daughter, Daughter's Boyfriend
dmbolp is offline  
Old Oct 27, 19, 7:20 pm
  #8  
FlyerTalk Evangelist
 
Join Date: Jun 2015
Location: SFO/SJC, BWI
Programs: :rolleyes:, DL DM, Mlife Plat, TR 7*, Marriott Tit, UA Gold
Posts: 11,271
Originally Posted by ursine1 View Post
Still no unauthorized access, but it does appear that this was either a breach or some kind of larger glitch.
It's also possible they periodically look for passwords known to have been part of other breaches and compare those to passwords being used by their own users (this can be done without knowing your password; they can just hash the known compromised password with whatever hash they use on regular user pws) and if yours pops up on the list they force a reset.

https://krebsonsecurity.com/2019/08/...r-assumptions/
synergistic and ursine1 like this.
Zorak is online now  
Old Oct 27, 19, 10:21 pm
  #9  
 
Join Date: Mar 2011
Posts: 5,572
Originally Posted by Zorak View Post
It's also possible they periodically look for passwords known to have been part of other breaches and compare those to passwords being used by their own users (this can be done without knowing your password; they can just hash the known compromised password with whatever hash they use on regular user pws) and if yours pops up on the list they force a reset.

https://krebsonsecurity.com/2019/08/...r-assumptions/
We're talking about Southwest here.

Zorak and steved5480 like this.
ursine1 is offline  

Thread Tools
Search this Thread
Search Engine: