Skip to content ↓ | Skip to navigation ↓

Thousands of customer accounts of frequent American Airlines and United Airlines travelers have been compromised, with hackers going as far as booking themselves several free trips or upgrades.

On Monday, American Airlines spokeswoman Martha Thomas told The Associated Press the airline had notified nearly 10,000 affected customers of the incident, which occurred late December. As a result, certain accounts have been frozen while new accounts are set up.

Additionally, United Airlines spokesman Luke Punzenberger stated cybercriminals made mileage transactions or booked trips on up to three dozen loyalty program accounts. However, Punzenberger added that United Airlines plans to restore all stolen miles from impacted customers.

Thomas, as well as Punzenberger, confirmed the airlines’ systems were not hacked – rather, the hackers reused stolen login credentials to attempt to compromise the accounts of American’s AAdvantage and United’s MileagePlus users. Other information, such as entire credit-card numbers, was not exposed.

The incident has since been referred to the FBI, said Thomas.

“Air miles and loyalty programs are low-hanging fruit for hackers,” commented Tripwire security analyst Ken Westin.

“Although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency, such as with credit card transactions.”

Westin adds most of the websites for accessing these accounts have had woefully inadequate security with improper password policies, and lacking a two-factor authentication option for better security.

“The fact that these miles and points can be traded in underground markets in exchange for bitcoin or other forms of crypto currency – paired with the lax security to gain access to the accounts – creates a perfect opportunity for the enterprising hacker to generate income from their exploits,” said Westin.

Last year, a similar breach impacted millions of Hilton HHonors customers after their rewards points were stolen and sold online by scammers for gift cards and other goods in return.

Tripwire University
  • Annoyed

    I don't know what's more annoying, the fact that the accounts have been compromised, or the fact that neither American Airlines nor US Airways have a contingency plan for their loyal customers. My travels, plans and accounts are all screwed up and all I get from customer service is, "Sorry there's nothing we can do about this right now. You will just have to wait (indefinitely). Don't know how long."

    Worst airlines in terms of customer service! Worst. Period.

  • Michael Scheidell, CCISO

    They should have done something in June:
    United Airways® Insecure Transmission of User Credentials

    Severity: Critical
    Category: Information Disclosure
    Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
    Original Public Release Date: June 30th, 2014.
    Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
    Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
    Notifications: May 5th, 2014. Update sent to MECTF and
    Revision Date: July 11, 2014
    Reason for Revision: Added information on date vulnerable from