Frequent flyers take note: thieves managed to hack into and steal miles from customer-reward accounts connected to both United and American Airlines. The actual thefts took place sometime in late December, but only made headlines this week.
The United and American hackings were similar to last year's well-publicized “hackings” of StubHub and Dropbox, in the sense that technically, they were not hackings at all: thieves never managed to access the companies' actual servers or databases. What thieves did manage to do was steal passwords and login information from individual customers' other accounts.
If you know anything about online security, you've surely heard the advice “Don't use the same password or login credentials across multiple accounts,” because when a hacker manages to successfully steal a password from one account, he'll test to see if it works elsewhere.
Suppose, for example, you've registered with a chat forum to discuss your favorite musician or hobby, share child-rearing tips, or talk about any other topic you find interesting. And suppose you ignored, or simply didn't know, certain basic password-safety rules, so that you used the same password to login to Chatroom.com and your frequent flyer airline miles account.
Then, some hackers managed to breach Chatroom.com security and steal all the passwords. There's a good chance that this happened without anyone at Chatroom.com even realizing it. The actual Chatroom passwords are probably worthless to thieves – there's little-to-no money to be made from breaking into a small, casual discussion forum shared by a few friends or fellow hobbyists – but there is money to be made if an individual Chatroom member's password also grants access to that individual's bank account, StubHub account – or frequent flyer account.
That's probably how various United and American customers had their bonus miles stolen. A spokesperson for American Airlines told the Associated Press on Monday that roughly 10,000 customers' accounts were affected.
American and United both say they plan to restore lost miles to affected accounts, and in the meantime all compromised accounts have been frozen. If you have an American or United account, even if (or especially if) you haven't used it in awhile, check your account status to see if you've been affected.
Meanwhile, whether you have frequent flyer miles with an airline or not: remember to make sure that every password-protected account you have has its own unique password. At the very least, make sure all of your financial accounts have their own unique passwords: your credit or debit cards, savings or investment accounts, frequent-flyer miles or hotel rewards programs – in other words, anything worth actual money. A hacker pretending to be you on Chatroom.com can make some stupid or offensive posts in your name; a hacker pretending to be you at your bank or frequent-flyer account can clean you out.