Wow, sorry to hear that. And I had no idea they didn't care to that degree. That is very sad.

I have a personal shredder at home and nothing goes in the garbage with identifying info, even if just my address, unless it has been shredded. Decent ones only cost $79 at lots of stores. Can get cheaper ones but they aren't very good.

Edit to add: And make sure your shredder is a crosscut one that basically turns papers into mincemeat. DON"T get one that just cuts paper into strips.

Moderator caution
 

Let's stay on the topic of hacking or protecting UA M+ accounts. Unduly personalized arguments between members have been deleted. Thanks, Ocn Vw 1K, Moderator.

Posting this pic of the new partially obstructed MP number design again, without the personalization:

http://gallery.flyertalk.com/gallery...mage.sized.jpg

(I will not post a pic of the entire BP. If folks don't believe me, so be it.)

I don't think this is true. I am pmUA and at the merger continued to use my former password with my new MP #. No problems with that, it seems. The same goes for Mrs 1P.

Neither of us has ever had a PIN. The website asks me from time to time to set up a PIN, and I have always ignored it, so as far as I am concerned (and I think UA too) I just don't have a PIN at all. If I do unknowingly have one, I have no idea what it is. Same thing when I access Mrs 1P's account: it asks me to set up a PIN and I just ignore it.

If your account came from the pmUA side and you never setup a PIN, you don't have one. I don't know what consequences it will cause but I seem to remember hearing you will be asked for it under some calls for award flights. I am trying to remember but was quite a while ago so the cobwebs may be making my memory fuzzy on it so hopefully someone can confirm or correct. But for basic online stuff you don't need a PIN.

I've been asked for my 4-digit PIN over the phone when applying RPUs, GPUs, and Star Alliance upgrades.

I wonder if that might actually be worse -- if there's no PIN set up, when you (or a crook) calls in the agent may just use other (less secure) ways to try to identify you (e.g. "What's your mother's maiden name" isn't as useful for my kids, as my wife kept her name and many people know it).

As far as I can tell, you can log in today with any combination of:

Username OR email OR new MP ID OR pmUA MP #
AND
Password OR PIN

That's a lot of information that may me easier or harder to find, depending. It would be more secure to allow people to restrict those to the one they actually use.

Add me to the list. Found this thread and created an account to add to it because my account was hacked too.

I don't fly much anymore, so I'm not checking my account on a regular basis. In 3 transaction from early November to mid December, someone cleared my account of over 350,000 miles. Just discovered it today. 3 separate transactions for "Mileageplus Merchandise Redemption". I don't have any idea what merchandise they got as the links are clickable.

Called United (got through to a live person quickly, surprisingly) and she wasn't able to really do much for me, but told me to send an email with the details to [email protected] and they'd get back to me in 7-10 days. I'll update with any updates.

If anyone has any other suggestions on what type of follow up I should be doing, let me know. I haven't gotten any response (not even a "hey, we got your email") yet.

I have changed my password & pin, for whatever good that does. Also changed passwords on a lot of other accounts that I have just to be safe.

I was just looking at my BPs for the last month and found several printed at the following stations (looking at the top right hand corner):

BWI
ORD
LGA
EWR

http://www.flyertalk.com/forum/membe...0-img-0860.jpg

I really appreciate you taking the time to post these. [Moderator edit per Post 62, above.]

So, an update to this:

• $6000 has been refunded for the 3x revenue tickets purchased on my CC.
• The taxes/fees for the award tickets totaling $230 have not been refunded yet.
• The miles for the hotel redemption have not yet been refunded.
• My GPUs/RPUs have not been refunded (I thought they can re-deposit these immediately?)

Will call up Manila on Friday and see what's going on. I'd really hate to have to cancel my company CC in the middle of a trip and charge all my expenses to my personal CSP :D

Glad to hear progress. Personally, I would cancel the credit card anyway (or at the very least, check it like a hawk for any other charges aside from UA related). I'm curious- was the credit card reimbursement a credit card fraud contest, or UA refunding the money? If credit card, I would contest the charges on the award ticket taxes as well (if you haven't already).

Not surprising that it's the UA part which is taking the most time. Credit card companies are used to fraud and know they need to refund legally and contractually. Any refund on UA tends to take time (and aggressive follow up sometimes).

GPUs CAN be refunded literally immediately (often while still on the phone) under normal circumstances such as not clearing, though in my experience, the clock only starts when calling them. Were the GPU's already used or still pending? If already used, I could see a delay while they look into the details, but otherwise I would keep calling until they are back (I only hope the fraud department has some clue as to how to redeposit them).

As others have noted, this is incredibly ballsy. Were the flights originating in the US? Did they have a name etc... associated with them? I would think the FBI would be interested in this, as it is likely interstate (if not international) fraud at a bare minimum.

Every M+ account still has a pin. So a thief can use your pin, whatever it is, even if you unaware of it, to log in. And the pin is needed when using the phone agents.

I stopped using my password in March 2012 when it was apparent that booking online using a password meant that bookings would never ticket.

The only recourse is to log in several times a day to united.com until one has burned all their miles.

That's one I've never heard before.

The problem was I noticed this on the 30th of December, and I was leaving on the 2nd for a trip (currently in FLL). I wouldn't get a replacement card in time and I wouldn't have my corporate card to use for this trip. I didn't want to go through the whole rigmarole of using my personal card for my expenses (as much as I'd love to get the points), and didn't want to have to get reemed from my job for not using the corporate card.

Either way, I called the CC agents up and they put a note on my account just in case. I can call up and list the charges as fraud, but then they'd have to close the account and whatnot. I don't see it being a real fraud issue with the card as .bomb only stores the last 4 digits of the card anyway and it is now deleted from my stored cards.

I will have to call up on Friday to follow up with the open items and GPUs/RPUs. They used the for domestic flights as well as for international flights (to/from HKG). The fraud agent was a Manila call center rep who had done reservations and whatnot before, so she was familiar with shares.

Not sure if UA will follow up regarding this, but I honestly couldn't really be bothered as long as I get all my $$ and miles back.