Skip to content
American airlines plane. Image courtesy of anderm/Shutterstock.
Naked Security Naked Security

Thieves hijack miles from American and United Airlines accounts

Usernames and passwords stolen from a third party were used to book free trips or upgrades on American and United Airlines: yet another sad tale of password reuse!

American airlines plane. Image courtesy of anderm/Shutterstock.Crooks with stolen usernames and passwords have broken into customer accounts at United and American Airlines and gotten away with booking free trips or upgrades.

United Airlines says that “unknown and unauthorized parties” tried to get at its customers MileagePlus accounts by reusing logins they got from third parties that are valid for sites that are unrelated to the airline.

The thieves were able to make mileage transactions on what United believes were fewer than 3 dozen accounts, out of a total of 95 million accounts, spokesman Luke Punzenberger said on Thursday.

United notified customers about the fraud in late December. Punzenberger said the airline is restoring miles to all drained accounts.

The Associated Press reported on Monday that 10,000 customer accounts at American Airlines were similarly compromised.

An American Airlines spokeswoman, Martha Thomas, told the AP that the airline has frozen some accounts while it works with customers to set up new ones, starting with customers who have at least 100,000 miles.

So far, American has discovered two cases in which somebody booked a free trip or upgrade without the account holder’s knowledge.

American plans to pay for a year’s worth of credit-watch service from Experian for affected customers.

Both airlines stressed that their own systems hadn’t been breached. Rather, the usernames and passwords came from some other, undetermined source, and the perpetrators used the logins to see if they’d work with American’s AAdvantage and United’s MileagePlus accounts.

Unfortunately, because of password reuse, they were successful in getting into, and siphoning miles out of, some of those accounts.

No other information, such as credit card or tax ID numbers, was exposed.

Punzenberger said that United has begun requiring all customers to also enter their MileagePlus number when logging in.

That’s a smart move. Monitoring loyalty programs and requiring additional information to prove that users are legitimate account holders can make it tougher for criminals to plug in credentials they’ve ripped off from other sites.

Of course, we can help companies like these to lock down our accounts by always, always using a unique set of credentials for every site.

As it is, pilfered logins are scattered all over the internet’s darker corners, publicly posted onto “paste” sites.

In October, for example, it emerged that thousands of Dropbox logins had been stolen from a third-party service.

Crooks will often try to increase their bounty by testing out the credentials they’ve captured on other websites.

If users have reused their passwords on sites like Twitter and Facebook, the crooks can access those accounts, too, and either exploit or sell them.

Or, of course, try them out to see if they can book a free trip using somebody else’s miles!

Facebook, for one, is actually keeping an eye out for this kind of reuse, scouring the web for reused password/username combinations that match those of its users (no worries: it’s not peering at our plain text passwords; rather, it’s comparing the salted hashes that result after it runs the credentials through its algorithm).

That’s a good, proactive step, but it doesn’t mean we can relax and reuse passwords.

Facebook’s protecting its users’ accounts from being hijacked, but that’s certainly not going to stop a crook from reusing stolen credentials on whatever other sites they’re being used on: a Gmail account? A bank account? Twitter? American Airlines? United Airlines? All of the above?

With password reuse, a thief who gets hold of one set of credentials has gotten hold of all the accounts.

To lock down all of our accounts, we all should be following the simple rule: One Site, One Password.

And, of course, each of those passwords need to be strong.

To hear more password rules and regulations, including a drill-down on password reuse, check out this Sophos Techknow podcast, Busting Password Myths.

Image of American Airlines plane courtesy of anderm /


“American plans to pay for a year’s worth of credit-watch service from Experian for affected customers.”
Judging from the amount of spam I receive for my experian address, signing identity theft victims up for Experian services is like ‘helping’ a person with the flu by sending them to the hospital’s ebola ward.


Shouldn’t it be pretty easy to catch the thieves? Once the airline identifies which accounts used the stolen miles, the thieves would need to present ID and physically show up to take their flights. Perhaps they found out about it long after the miles had been used.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!