Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA Account Hacked / Reports of Fraudulent Award Travel Redemption

UA Account Hacked / Reports of Fraudulent Award Travel Redemption

    Hide Wikipost
Old Sep 8, 18, 6:59 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: WineCountryUA
Wiki Link
This thread to follow reports of MP accounts that actually have been hacked / improperly accessed. If you have missing miles and beleive you have been hacked, contact [email protected]

In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.

A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
Print Wikipost

Reply

Old Aug 12, 14, 11:12 pm
  #196  
 
Join Date: Jul 2010
Location: BOS, LAX
Programs: AA EXP MM, UA Plat, SPG Plat
Posts: 3,873
UA needs to implement a system (like many other companies!) which emails the old email if the address is changed.
That would catch a lot of these from happening.
DWFI is offline  
Reply With Quote
Old Aug 13, 14, 1:57 pm
  #197  
 
Join Date: Sep 2007
Location: Colorado
Programs: UA Gold 1MM, Marriott Gold
Posts: 1,158
Originally Posted by mrswirl View Post
My MP account was hacked last night and somebody redeemed 3 one-way business class Star Awards on TK from IST-GYD (Azerbaijan) for a total of 135K miles.

Tickets were booked late last night for flights today so by the time I noticed this afternoon, the plane had already landed.

Whoever it was is pretty smart as they changed the email address in my profile so I never received any notifications and they added a new (probably stolen) credit card number to my stored payments area to pay for the booking fees.

I called MP Customer Service and they sent it up to Corporate Security for investigation. I have no doubt that I'll get my miles back but it burns me up that the crooks got away with it.

I check my MP account just about daily and have never had any problems until now. Everyone, check your accounts and change your PINs!
Quick update:

Corporate Security restored the miles to my account within 24 hours and called me back to let me know. No other action was required on my part.

The agent informed me that they often look for these types of events originating out of eastern Europe and called it a "grab and go" situation - hack in and redeem for flights leaving right away. Sounds like it is happening with increased frequency.

He also mentioned that they will be implementing new security features in the next couple of months for better protection. Here's hoping.

Good job UA
mrswirl is offline  
Reply With Quote
Old Aug 13, 14, 2:16 pm
  #198  
FlyerTalk Evangelist
 
Join Date: Jun 2003
Location: DEN
Programs: UA MM 1K; AA MM Gold; HHonors Diamond
Posts: 15,332
Originally Posted by mrswirl View Post
...they changed the email address in my profile so I never received any notifications and they added a new (probably stolen) credit card number to my stored payments area...!
  • The lack of an email to the old email address upon this type of change is crazy
  • Quick...use that credit card to book tickets to Vegas
Bonehead is offline  
Reply With Quote
Old Aug 13, 14, 6:13 pm
  #199  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Posts: 10,576
I tried to look through the thread but did not see it. I see something very disturbing in UA's website. I use a password manager, now when I log into UA's website, the password manager tells me the site is not a secure login though it was when I saved the password into the password manager. I tried all the portals I could think of to log into UA's website and not one of them is the secure https:// type page. When did UA get rid of secure login pages? So, no secure login page, only a 4 number pin. No wonder peoples accounts are being hacked so easily.
Baze is offline  
Reply With Quote
Old Aug 14, 14, 12:03 pm
  #200  
grt
 
Join Date: Mar 2012
Posts: 79
The 4-digit pin is another "Change that you will like" from our CO accounts, and they have not been able to fix this security hole in 2+ years.

Way to go, United.
grt is offline  
Reply With Quote
Old Dec 5, 14, 1:53 pm
  #201  
 
Join Date: Sep 2013
Posts: 7
By chance I happened to log into my United account today and I discovered that someone changed my email address on my account and on Thanksgiving day that person placed 5 separate gift card orders totaling 82,500 miles.

I called and got no where with United or mileage plus customer service. I was eventually told to email [email protected], which I did.

I subsequently changes my email address back and changed my password and changed my pin.

I searched for gift cards in this thread and did not find out whether or not anyone else that had this happen to them ultimately received a refund. I'm afraid that I have lost these miles. It stinks that no one at United will even talk to you about it. It would be nice if someone could try to cancel the gift cards. Hackers and thieves suck.
jonesle7 is offline  
Reply With Quote
Old Dec 5, 14, 6:44 pm
  #202  
 
Join Date: Apr 2011
Location: New York, NY
Posts: 272
Originally Posted by jonesle7 View Post
By chance I happened to log into my United account today and I discovered that someone changed my email address on my account and on Thanksgiving day that person placed 5 separate gift card orders totaling 82,500 miles.

I called and got no where with United or mileage plus customer service. I was eventually told to email [email protected], which I did.

I subsequently changes my email address back and changed my password and changed my pin.

I searched for gift cards in this thread and did not find out whether or not anyone else that had this happen to them ultimately received a refund. I'm afraid that I have lost these miles. It stinks that no one at United will even talk to you about it. It would be nice if someone could try to cancel the gift cards. Hackers and thieves suck.

I still have the name and phone number for the person in corporate security that I dealt with. I'll direct message you, or you can email me directly at [email protected]. I so hope I can help you.
katstarr is offline  
Reply With Quote
Old Dec 5, 14, 7:33 pm
  #203  
 
Join Date: Sep 2013
Posts: 7
Thank you katstarr. I'll keep my fingers crossed that the person in corporate security can help resolve my issue.
jonesle7 is offline  
Reply With Quote
Old Dec 26, 14, 10:02 am
  #204  
 
Join Date: Feb 2008
Location: CAN, LAX, TPE
Programs: AA, AS, CI, DL, UA
Posts: 2,580
Today I received a promo e-mail from United Mileage Plus partner and saw my miles stated on the e-mail to be short of ~50k miles. Went to check online and there was a hotel redemption for 51,400 miles on Dec. 8 that I do not know of. I checked my e-mail account and had never received an e-mail notice in regards to this redemption.

I called the call center and was directed to e-mail [email protected]. Now I received an e-mail from securitytips that they will contact me in 7-10 days.

Prior to the e-mail, I checked my account and everything was normal except that I am signed up to receive e-mails in Spanish. I changed that back to English and edited my password.

Now to cross my fingers that I will get my miles back...
coolfish1103 is offline  
Reply With Quote
Old Dec 26, 14, 10:07 am
  #205  
 
Join Date: Mar 2011
Location: Colorado
Programs: UA GS 3.2 MM, Hilton Diamond, Marriott Lifetime Platinum Premier
Posts: 1,258
Originally Posted by grt View Post
The 4-digit pin is another "Change that you will like" from our CO accounts, and they have not been able to fix this security hole in 2+ years.

Way to go, United.
I'm amazed there haven't been major hacks to United yet. Their security is 1990s.

Last edited by WineCountryUA; Dec 26, 14 at 10:13 am Reason: unneeded trolling comment deleted
bldr1k is offline  
Reply With Quote
Old Dec 26, 14, 7:58 pm
  #206  
 
Join Date: Feb 2008
Location: CAN, LAX, TPE
Programs: AA, AS, CI, DL, UA
Posts: 2,580
Originally Posted by coolfish1103 View Post
Today I received a promo e-mail from United Mileage Plus partner and saw my miles stated on the e-mail to be short of ~50k miles. Went to check online and there was a hotel redemption for 51,400 miles on Dec. 8 that I do not know of. I checked my e-mail account and had never received an e-mail notice in regards to this redemption.

I called the call center and was directed to e-mail [email protected]. Now I received an e-mail from securitytips that they will contact me in 7-10 days.

Prior to the e-mail, I checked my account and everything was normal except that I am signed up to receive e-mails in Spanish. I changed that back to English and edited my password.

Now to cross my fingers that I will get my miles back...
Update on the situation.

Someone responded to my request within 2 hours and my miles was refunded (very fast consider it's holiday season). I was required to change PIN (basically had to set up one) and update security question after verifying my account profile.
coolfish1103 is offline  
Reply With Quote
Old Dec 28, 14, 11:46 pm
  #207  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Gold 1.85MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Gold
Posts: 46,831
Moderator Note

In http://www.flyertalk.com/forum/unite...ec-2014-a.html there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread. {Posts on the username log-in change have been moved from here to there.}
A separate(?) "access denied" issue is covered in http://www.flyertalk.com/forum/unite...wn-thread.html

Let's use this thread to follow reports of accounts that actually are hacked / improperly accessed.

WineCountryUA
UA coModerator

Last edited by WineCountryUA; Dec 29, 14 at 10:42 am
WineCountryUA is offline  
Reply With Quote
Old Jan 13, 15, 8:16 pm
  #208  
 
Join Date: Jan 2004
Location: New York NY
Programs: UA Gold, CO Plat, CO Million Miler
Posts: 2,499
Interesting call from Fraud Protection today

This afternoon I received a call from a very nice gentleman at UA Fraud protection. He asked if I had recently used miles for a hotel in a European city. I asked him where....her told me.....he asked me to check my account to see if there were any unauthorized mileage withdrawals, and yes 34,000 miles had been withdrawn today. He then led me through the steps of changing my user name, password, etc., and immediately credited back the miles. I was extremely impressed that they caught something like this, how quickly they caught it, and how efficiently and quickly they corrected my account.
hughw is offline  
Reply With Quote
Old Jan 13, 15, 8:50 pm
  #209  
 
Join Date: Jun 2011
Location: Colorado
Programs: United Gold (formerly 1K), SPG Lifetime Gold (fomerly Plat)
Posts: 549
They need to disable the darn PIN access feature. How tough is it to guess MP numbers and 4 digit pins.
FlyingNut724 is offline  
Reply With Quote
Old Jan 13, 15, 8:55 pm
  #210  
FlyerTalk Evangelist
 
Join Date: Jun 2003
Location: DEN
Programs: UA MM 1K; AA MM Gold; HHonors Diamond
Posts: 15,332
Originally Posted by FlyingNut724 View Post
They need to disable the darn PIN access feature. How tough is it to guess MP numbers and 4 digit pins.
<sigh>

You get locked out after 3 or 4 unsuccessful login attempts.
Bonehead is offline  
Reply With Quote

Thread Tools
Search this Thread