Thieves Pop Open United Rewards Accounts Using Stolen Passwords


Fraudulent transactions appeared on three dozen Mileage Plus loyalty accounts belonging to United Airlines passengers, after hackers obtained login credentials through a third party. The login data was not encrypted.

The program has about 95 million participants.

The user credentials were not acquired by breaching United systems. And the airline was not the only company that saw hackers use the credentials to try accessing accounts.

“Hackers often try to see if login credentials stolen from one Web service will work on another one,” according to Network World.

United said in an advisory that Mileage Plus numbers, account balances and Premier status were exposed and possibly mailing addresses.

“The last four digits of a credit card number may have been exposed if a customer had a card number included in their Mileage Plus profile,” Network World reports. The rest of the digits were masked.

Loyalty card programs in the travel industry are of high value to cyber crooks because compromised accounts are easy to cash out. For example, United’s MileagePlus program lets customers use accumulated miles for air travel, rental cars, dining and shopping.

The incident was reported last week to California’s Office of the Attorney General.