United also hit by fraud as thieves use stolen credentials to buy travel, upgrades
American Airlines and United Airlines have confirmed that numerous user accounts on both airlines were hijacked in late December, with the thieves in some cases taking advantage of user credits to book free trips or upgrades.
The incidents were not the result of hacks on the airlines own systems – the thieves obtained user credentials such as usernames and passwords elsewhere, the companies said. The airlines warned customers against using the same passwords on multiple websites.
10,000 accounts compromised
American said that about 10,000 accounts were compromised, with two used to book free travel or an upgrade. United said up to three dozen accounts were compromised. American said it began notifying customers of the incidents by email on Monday, while United said it notified customers in late December.
The incidents involve frequent-flyer accounts, which allow users to make purchases using accumulated air miles. United said it would restore miles to affected users. American said it would pay for one year’s credit-watch service for custoemers involved in the incidents.
American said some accounts have been suspended while new accounts are set up, beginning with customers who have at least 100,000 miles. The company said it has notified the FBI of the matter.
The airlines said they monitor user accounts for unusual activity and may require users to enter additional information if a transaction seems suspicious. United said it has begun requiring customers to enter their rewards programme number when logging in.
Are you a security pro? Try our quiz!