British Airways Loyalty Accounts Hacked

The airline has confirmed that tens of thousands of user accounts were accessed by hackers using credentials from other websites

British Airways has confirmed that tens of thousands of frequent-flyer accounts were accessed in what appears to have been a hack by an automated computer program.

The company said no personal information seems to have been accessed in the hack, and said it has locked the affected accounts while it carries out an investigation. The lock-down means customers might not be able to use their points until the issue is resolved.

‘Unauthorised activity’

British Airways Heathrow © Kenneth IwelumoThe company said on Sunday it expected the system to be reactivated within the next day or two.

“British Airways has become aware of some unauthorised activity in relation to a small number of frequent-flyer executive club accounts,” the company said in a statement. “We would like to reassure customers that at this stage we are not aware of any access to any subsequent information pages within accounts, including travel histories or payment-card details.”

BA said the hack seems to have been carried out by “a third party using information obtained elsewhere on the internet, via an automated process”.

Beginning on Friday users reported seeing that their accounts had been emptied of frequent-flyer points, which appears to have been an effect of BA’s account lockdown. Affected users received an email message from BA informing them of the incident and telling them that their password had been reset.

Third-party hack

In some messages, BA said it believes the information used in the hack was a database of usernames and passwords obtained from a hack on another site, and used by an automated system testing whether the credentials were valid on BA’s system, presumably as well as many other websites.

The hack seems to have used “login information relating to a different online service which you may have also used to access your Executive Club account”, BA said in one customer email.

“From the sound of things, the attackers managed to get hold of a database of usernames and passwords and then threw it at the British Airways Executive Club website to see if they would also unlock accounts there,” said security expert Graham Cluley in an advisory.

Cluley noted that a similar technique was used in recent hacks on Starwood Hotels’ Preferred Guest loyalty programme and Hilton’s HHonours.

“As I’ve said many times before, you should never use the same password for multiple websites,” he wrote.

Are you a security pro? Try our quiz!