Not only was my AA account hacked three times in the last week, but with a bit of research, I discovered that the hacker was looking to sell the stolen AA (and SPG) details on the web. It all started with the following emails on Saturday:
The first email notified me that personal details such as my address and phone number were changed. Minutes later, the second message confirmed an email address change. I tried logging into my account and of course the password had been changed. As instructed, I immediately called AA.com web services which was a complete waste of time. The agent didn’t know what I meant by a hacked account and offered to change my password. However, when she could not verify my information (because it had all been changed), she had to connect me to AAdvantage customer service.
Customer service informed me that their normal operating procedure is to simply reset the password, allowing access to change back my account details as well as create a new strong password (my previous password was strong but used on other sites like gmail). I questioned whether this was the best approach as the hacker would receive an automated email with my new email address (like the email I received above). While they wouldn’t know my new password, they could reset the account if they stored my previous address information. AA customer service insisted that this was the best first step and that we should not yet create a new account. OK…
Three days later I received the following email:
As expected, the account was once again hacked, though this time a different email address was stored. I used a strong password generator which created a highly complex password, but evidently not complex enough since the hacker already knew my account#/email address. The hacker unsubscribed me from all emails and subscribed to paper statements instead. I once again had to start with AA web services as customer service was closed. This agent was clueless, she could not understand why I could not verify the address or phone number on the account. I tried explaining that it was because it had just been changed by a hacker and that the verification email told me to contact her department if this was not authorized. I got nowhere and asked for a supervisor. The supervisor told me the same thing, he could not lock down the account as I could not verify that I was the authorized user. Instead, he told me to wait until customer service opened in the morning. In the meantime, if there were any fraudulent redemptions or transfers, I was told that procedures were in place to reverse them after the fact. Frustrating!
This morning I called AA customer service who immediately created a new account. The ridiculous thing is that they first needed to change the email address on the old account back to my actual address in order to match the new one. This would once again provide the hacker my new email address as he/she would receive notification of the change. Since you can log in via an email address, it’s almost like you are providing them with intel to hack your new account. As such, I created a fake address and then changed it once the account was set up. All activity and upgrades were transferred to the new account within an hour. No redemptions were attempted during either of the hacks.
I did some googling using the hacker’s email address and found this bulletin board posting where he/she is soliciting sellers of stolen AA and SPG miles and points:
Hey i need a good contact/hacker that sells airline miles, starwood points,heloc profiles home equity loans of credit from wells fargo and fullz profiles 750 and better with the driver license dont care if its different vendors
Pretty scary stuff! AA was not worried about my data protection as they told me that only the last four digits of my credit card were visible. I noted that my address, birthdate, known traveler ID, and phone number were also viewable. This wasn’t alarming for them, one agent asked why I was concerned since no SSN or credit card data was available to the third party.
AA clearly needs to put some better procedures in place for account hacks. The department you are instructed to contact is unable to provide any meaningful assistance. On top of that, the security precautions taken after customer notification make no sense at all and their lackysasdicsal attitude about privacy protection is downright scary.