My AAdvantage Account was Hacked Multiple Times this Week! Scary Stuff & AA No Help!

Not only was my AA account hacked three times in the last week, but with a bit of research, I discovered that the hacker was looking to sell the stolen AA (and SPG) details on the web. It all started with the following emails on Saturday:

AA1 AA2

The first email notified me that personal details such as my address and phone number were changed. Minutes later, the second message confirmed an email address change. I tried logging into my account and of course the password had been changed. As instructed, I immediately called AA.com web services which was a complete waste of time. The agent didn’t know what I meant by a hacked account and offered to change my password. However, when she could not verify my information (because it had all been changed), she had to connect me to AAdvantage customer service.

Customer service informed me that their normal operating procedure is to simply reset the password, allowing access to change back my account details as well as create a new strong password (my previous password was strong but used on other sites like gmail). I questioned whether this was the best approach as the hacker would receive an automated email with my new email address (like the email I received above). While they wouldn’t know my new password, they could reset the account if they stored my previous address information. AA customer service insisted that this was the best first step and that we should not yet create a new account. OK…

Three days later I received the following email:

AA3

As expected, the account was once again hacked, though this time a different email address was stored. I used a strong password generator which created a highly complex password, but evidently not complex enough since the hacker already knew my account#/email address. The hacker unsubscribed me from all emails and subscribed to paper statements instead. I once again had to start with AA web services as customer service was closed. This agent was clueless, she could not understand why I could not verify the address or phone number on the account. I tried explaining that it was because it had just been changed by a hacker and that the verification email told me to contact her department if this was not authorized. I got nowhere and asked for a supervisor. The supervisor told me the same thing, he could not lock down the account as I could not verify that I was the authorized user. Instead, he told me to wait until customer service opened in the morning. In the meantime, if there were any fraudulent redemptions or transfers, I was told that procedures were in place to reverse them after the fact. Frustrating!

This morning I called AA customer service who immediately created a new account. The ridiculous thing is that they first needed to change the email address on the old account back to my actual address in order to match the new one. This would once again provide the hacker my new email address as he/she would receive notification of the change. Since you can log in via an email address, it’s almost like you are providing them with intel to hack your new account. As such, I created a fake address and then changed it once the account was set up. All activity and upgrades were transferred to the new account within an hour. No redemptions were attempted during either of the hacks.

I did some googling using the hacker’s email address and found this bulletin board posting where he/she is soliciting sellers of stolen AA and SPG miles and points:

AA4

Hey i need a good contact/hacker that sells airline miles, starwood points,heloc profiles home equity loans of credit from wells fargo and fullz profiles 750 and better with the driver license dont care if its different vendors

Pretty scary stuff! AA was not worried about my data protection as they told me that only the last four digits of my credit card were visible. I noted that my address, birthdate, known traveler ID, and phone number were also viewable. This wasn’t alarming for them, one agent asked why I was concerned since no SSN or credit card data was available to the third party.

AA clearly needs to put some better procedures in place for account hacks. The department you are instructed to contact is unable to provide any meaningful assistance. On top of that, the security precautions taken after customer notification make no sense at all and their lackysasdicsal attitude about privacy protection is downright scary.

Pingbacks

  1. […] I had a similar incident last year and American was not much help.  My account was being targeted by an aggressive hacker – each time I would regain access and use a strong system generated password, the hacker would once again somehow get back into the account.  The only way to eventually stop the cycle was to create a new account and move my miles and status over. I did my own investigation and found that the hacker was trying to sell the miles online…crazy! See – My AAdvantage Account was Hacked Multiple Times this Week! Scary Stuff & AA No Help! […]

Comments

  1. Yes, US Air (dba AA) has turned a once great carrier into one that often finds ways to race to the bottom. Last month I noticed that my Citibank AA credit card 10% rebate on redeemed miles didn’t post.
    I called AA and they told me to contact Citibank. I did, and was told they would have resolution in 30 days. A week later I received a letter which stated that they do not know when miles are redeemed, so I need to contact AA.
    Best way to deal with being in between finger pointing? Cut up the card and not fly AA anymore. Problem solved! (they can keep the 10k miles I should have received)

  2. That is crazy! Curious if they end up contacting you to address concerns that you raised in this blog. What about everyone else when this happens to them?

    • @Eric – No contact from AA. It seems everyone else is put through the same process – change your password and email (but the hacker receives an email with your new email address). If that doesn’t work, then they create a new account – again providing your email address. It’s sort of crazy this day in age.

  3. Do you have any idea how it happened? Was your AA password the same (or similar) as any other p/w that you use? AA only allows 12 digit passwords, which is pretty weak to begin with.

    • @Richard – It was shared with my gmail account (the only non gmail account that had the same password) but that account was not hacked (as far as I know). Both have new strong passwords now using the strong password generator. What surprises me is that they were able to hack my account a second time with an extremely strong password (despite the 12 digit limit). Granted, as I mentioned in the post, they already had a leg up knowing the account # and email address.

  4. Sorry to hear you were hacked. I think the idea of using an email as the userid is terrible. When AA did that, I phoned them, told them that was flawed security, and asked that they disable that feature on my account. No luck there.

    • @vg – Agreed, horrible idea but what’s even worse is the way they restore account access by sending out your new credentials to the hacker!

Leave a Reply

Your email address will not be published. Required fields are marked *