My American Airlines AAdvantage account was hacked.

note from Andy: I don’t really have the energy to “prose” this post up very much so I’m just going to give you a minute-by-minute accounting of what I did, what the hackers did, and what American did on my behalf

On Thursday night I was leaving my company’s Christmas party and, while sitting in my car in the venue parking lot, unlocked my phone, which refreshes my email.  When it pulled in my emails I saw a very curious one pop up.

After reading the email and, realizing it was neither spam nor a phishing attempt, my heart sank.  My AAdvantage account was compromised.  Someone had gained access to my account and, in their efforts to mask it and hope I, nor American, would notice, they added a few digits to the end of my email address.

Timeline of the hack and the fraudulent award bookings

  • 10:42pm CST: Hacker gains access to my account and changes the email address.  American sends email to the old address and the new one
  • 10:51pm CST: I receive email that my email address was updated
  • 10:52pm CST: I realize what was happening and immediately call the AAdvantage Executive Platinum Desk and had to wait for an agent (there was weather in DFW, assuming this caused some delays)
  • 10:52pm CST: I happened to still be logged in to the American Airlines app on my phone, so I scrolled down to my account settings and, surprisingly, had no issues changing the email back to my original one and resetting my password to a much stronger one
  • 10:53pm CST: When I refreshed my app, I noticed 71,600 miles were missing
  • 10:59pm CST: I began speaking to an agent on the EXP desk.  I frantically told her what was happening and she immediately placed me on hold to speak to her supervisors.  She came back after long hold and said she was seeing what I was seeing and she had reported the account compromised (not really sure how she did this or what she did behind the scenes).  She then said, and this was so hard to hear, that she couldn’t really do anything else for me and that I needed to wait until AAdvantage Customer Service opened the next day at 8am CST.  I could not fathom that the largest airline in the world did not have any emergency plan for situations like this and (I hope respectfully) told her as much.  While she and I were speaking I happened to refresh my app again and saw that another 66,900 miles had just been pulled from my account.  This was an active hack.  She saw it too, gasped, and put me on another hold

Let me pause briefly here.  I was frustrated and felt violated and the EXP agent was frustrated for me and was as comforting as she could be, coming back on the line every five minutes or so to let me know that she was still working on things internally for me while I endured lengthy holds.  I commend her for not only her skill of making the right internal people aware of what was happening but for her empathy with me.  Her immense compassion and kindness embodied the best of American Airlines customer service during a tough situation.

  • 12:13am CST: After an hour on the phone the agent gave me the news: she had done everything she could do, as had her supervisors, but, at this point, I would need to wait until 8am CST for AAdvantage Customer Service to open for further instructions.  I knew she did everything she could but was sad that this is what it came to

What I did until AAdvantage Customer Service opened 8 hours later

I was livid that the largest airline in the world, fresh off 5 years of record profits, seemingly couldn’t help me until 8 hours later (I was wrong about this, which I’ll get to in a minute).  At that point, however, I had bigger fish to fry.  I tried to think like a hacker and guess what their next move would be, as changing my email address back to my own and changing the password on my AAdvantage account had seemed to stop them in their tracks for the moment.  They couldn’t make bookings with my miles anymore but they had seen quite a bit of my personal information, including my personal cell phone, my personal address, my date of birth, and my emergency contact information (including their cell phone).  I had work to do.

  • The first thing I did was call (and wake up) my emergency contact to let them know what had happened and to let them know I hadn’t been in a car wreck or arrested or anything like that, in case the hacker would try to impersonate someone and try to scam them out of some money by creating some false emergency
  • The next thing I did was put fraud alerts on all of my credit accounts with the three credit bureaus (this was actually super easy, as submitting a fraud alert with one bureau will automatically notify the other two).  With my name, address, and date of birth I was concerned someone could put that information on a fake driver’s license and attempt to rent cars in my name or cross-reference that data to someplace on the dark web (where I’m sure my social security number has been exposed because honestly probably all of ours have been exposed) and then apply for credit accounts in my name
  • I sent Facebook messages to a few key people who know higher-ups at American Airlines and also posted about this in an Executive Platinum Facebook group to see if anyone could help.  I also sent a text message to one of my main contacts at American to see if they were awake and could help

And then I waited.  There was nothing else I could do.  I felt helpless.  But then I got my first data point.

At 3:25am CST I received the usual ‘Your recent award redemption’ email from American, which they send after you make an award booking.  On it, I finally had the name of a suspect.  (I did not recognize the name and it was nobody I knew)

(Yes, I blurred out their name.  I’m an incredibly firm believer in rights of the accused and do not wish to have people, however well-meaning, going looking for these people)

I knew this email was automatically generated a few hours (probably some batch process) after an award booking.  I imagine this is why the hacker changed the email address on my AAdvantage account, so they would receive the confirmation and not me, after which they would change the email address on my account back to my original email address and hope I was none the wiser until I noticed the miles missing from my account, by which time the fraudulent booking would’ve already been used.

As the hours slowly crept by I tried to get some sleep and probably nodded off for 30 minutes or so but it wasn’t fitful sleep since I was so stressed.

And then I realized American WAS working on things behind the scenes

At 7:28am CST I received an email from Corporate Security at American Airlines.  They had received the report, thanks to the hard work of the EXP desk agent the night before, and reviewed the bookings.  Here was the crux of it:

  • My AAdvantage account had been compromised.  There was no use trying to save it.  I needed to create a new AAdvantage account with a different email address (that didn’t resemble my old one) and different security questions
  • In order to get my miles back, I needed to submit a police report to American Corporate Security.  This sounded ridiculous at first but I get why they ask for one, even though it slows down the process

They provided me with the following information:

I had a caseworker and everything.  It was reassuring that I had that information and I was grateful that they were able to get me the information so quickly.

Then AAdvantage Customer Service reopened

When I called in at 8am CST, the EXP number skipped the usual “oooooo-oo-oooo-oo-oooooooo” song and automatically routed my call directly to AAdvantage Customer Service, since my account had been tagged as compromised by that point.  A friendly AAgent picked up the phone and helped me set up a new AAdvantage account and begin the process of merging my old account data into the new one.  At this point, they had done what they were capable of doing and the rest was in the hands of Corporate Security.

Getting a police report

The email from Corporate Security contained not just one but two names of the people in whose name the awards (which turned out to be car/hotel awards) were booked.  I did some online sleuthing and was quickly able to figure out their likely whereabouts and was even able to pull up some lengthy criminal histories for names which matched the suspects.  I’m not sharing their location publicly but I do have some connections in that area and will be getting law enforcement involved.

I live in Dallas, Texas.  DPD has a helpful online information page for filing police reports so I gathered the necessary information and went down to the police headquarters yesterday to file a police report and start the process of getting my miles back.  Since the accused thieves are outside of DPD jurisdiction I knew there was nothing they could do but I at least wanted to get the police report going in order to get my miles back.

Why did I have to get a police report?  Corporate Security asked for one.  Why did they ask for one?  Well, I’m sure there have been people who have falsely claimed their miles were ‘stolen’ in the past just to try and scam American out of miles.  It’s asking a lot, but I get why they’re doing it.

and now? I wait.

I have to wait for the police report and then need to send it over to Corporate Security in order for American to reinstate my miles.  I have no doubts that everything will work out, it’ll just take some time.  I struggle with patience so this will be good practice for me.  I hate that this takes time but I don’t have any upcoming need for my miles so I’m good for now.

Thinking about it, this is the perfect crime

It didn’t work out for this hacker, but I think this is what happened.  Hacker found my email address and a password as part of some data breach (like Marriott’s).  They tried that password in a variety of sites and found that the email/password combo worked with American.  They then run a Craigslist ad or something for cheap car rentals and hotels (with a burner phone, of course), someone pays the hacker cash, hacker makes award bookings in that person’s name using my miles, and job done.  It would be the recipient of the fraudulent award that gets arrested, not the hacker.

Like I said, I know who the names of the people who the awards were booked for and I’d like law enforcement to pick them up so we can figure out who actually hacked my account (I have my doubts that it was the people for whom the awards were booked).

Ok so what have we learned from all this?

I’ve written enough for now.  I have some ideas about what American could do to prevent this (which I’m sending in a letter to the executive team) and I’ll write about that in a future post but, for now, I just wanted to get the timeline out there so everyone knew what happened.  As always, try and make sure your passwords are unique from website to website.  Mine wasn’t, and that’s probably how the hack began.  Stay tuned for the next post!

A quick thank you

Thank you to all the readers who reached out privately and asked if there was anything they could do to help.  Having your information exposed and used like this makes a person feel very violated, particularly since travel is so near and dear to my heart.  Your kind words and thoughts really mean a lot to me and helped me find my smile as I’ve worked through all of this.

12 Comments

  1. Why not just cancel the award booking? Wouldn’t that deposit the miles back to your account?

    Reply
    • I was more concerned with the account access than anything else in that moment.

      Reply
  2. With so many website to log in, it is getting harder and harder to maintain unique passwords for everyone and then to change them regularly and on top of that remember them. This further complicates when you are managing accounts for the whole family including your parents. No wonder cavemen had such simple life

    Reply
    • There are really great tools for individuals and families that make this simple. My family uses LastPass and has for years—it autorotates my AA.com password among others.

      By the way, Andy, they ask for a police report because corporate security cannot report it to their insurance company or to the FBI without a case number from a local law enforcement agency. As a CISO, we end up doing this regularly (or asking customers to send the same info to us) for all sorts of coordinated attempts at compromise.

      Reply
  3. Thanks for update. Currently updating all my passwords. Follow-up!

    Carefull not to use your “connections in that area and will be getting law” to obtain privacy info unlawfully.

    Reply
  4. The “average” frequent flyer does not check their e mail, or their AA account, so frequently. I get so many e mails from all the programs I’m signed up for that I cannot possibly take the time to open all the e mails in real time.

    I would love to know how AA handles cases where the victim reports the missing miles 10 days, not 10 minutes, later, like you did. Does AA say SOL?

    Reply
    • It just takes a little longer, I have a friend who had a situation like this where she tried to reclaim them after the award ticket had been flown and it was a much more involved process. I think mine is a relative “best case” scenario.

      Reply
  5. Sorry this happened to you. A good lesson not to use the same password across multiple sites.

    Reply
  6. This is ridiculous. If the Congress (by that I mean jerks of one particular party, sex and skin color) had spent more time making robust laws for the US similar to Europe instead of wasting time and money on emails and Benghazi we would have a more robust online security apparatus.

    Reply
  7. Same thing happened to me – except over 500K points from my Hilton Honors account. I discovered mine missing about 4 days after the breach and immediately called the HH Diamond desk for assistance.

    In this case the thief has made two large purchases of Amazon gift cards with my Hilton points. Same scenario – I was able to log in with my HH# and see that someone had changed the accounts email address before making the two large points transactions.

    What I learned was this really isn’t a surprise to Hilton – in fact the CS agent mentioned a “spike” in fraudulent transactions around the holidays and also since Hilton has made changes to their IT and software. The CS agent also mentioned that Amazon has been very difficult with them to work with on these issues – Perfect!!

    The CS agent mentioned this could be done thorough Amazon with just using my Hilton Honors number – but obviously the breach could have happened as you described by identical usernames and passwords across websites.

    Hilton has identified the issue and has reassured me that the points will be reinstated into a new account number – but that they are currently going through continued IT and software upgrades so the process continues now since after Christmas.

    My Hilton IT / Security suggestions – Its amazing that Hilton would process 2 massive Amazon resumptions when I have a 20+ year history of only redeeming points for hotel stays (and this immediately after a change in a contact email address – this should certainly raise a red-flag somewhere!)

    Lastly – the bad guys & thieves are clearly ahead of precautions and security in our FF accounts.

    As others have said – the only thing we can do as consumers is continue to be diligent and actively manage email and passwords.

    Sigh…

    Reply
    • Wow, I can’t believe they got that many points without any alarm bells ringing at Hilton! I hope your points get back to you soon.

      Reply

Trackbacks/Pingbacks

  1. Travel Hacking Tools, Best Underwater Hotels, Guyana Travel Guide, Be Invisible on the Internet - TravelBloggerBuzz - […] A play by play account of how one blogger’s American Airlines AAdvantage account was hacked! […]

Leave a Reply

BoardingArea

 

Get the latest updates daily!

You have Successfully Subscribed!

%d bloggers like this: