Thieves with stolen usernames and passwords have broken into customer accounts at American and United airlines and in some cases booked free trips or upgrades.
The airlines say the incidents happened in late December. American began notifying affected customers by email on Monday, a spokeswoman said.
Some travel websites are fighting this type of fraud by adding steps to the login process, and they warn against using the same username and password on more than one site.
United Airlines spokesman Luke Punzenberger said thieves booked trips or made mileage transactions on up to three dozen accounts. United notified customers in late December, and Punzenberger said the airline would restore miles to anyone who had them stolen.
American Airlines spokeswoman Martha Thomas said that about 10,000 accounts were affected and some have been frozen while the airline and customer set up new accounts, starting with customers who have at least 100,000 miles. She said the airline has learned of two cases in which somebody booked a free trip or upgrade without the account holder's knowledge.
Thomas said that American would pay for a credit-watch service for one year for affected customers.
On Monday afternoon, American Airlines released the following statement:
American Airlines recently discovered that an unauthorized third party obtained usernames and passwords from sites other than American’s and used them to access a limited number of AAdvantage accounts. We are notifying our impacted customers and have locked the accounts that may have been compromised. We also are working with U.S. federal law enforcement to investigate the matter. The affected accounts do not contain Social Security numbers or full payment card information, but we are offering a free one-year membership to a credit monitoring service offered by Experian.
We apologize for any inconvenience this may have caused our affected customers. American takes information security very seriously and will continue to work to ensure that appropriate measures are taken to protect the information we maintain.
Both were quick to say that nobody hacked their systems -- that thieves got usernames and passwords somewhere else and tried to use them to log into American's AAdvantage and United's MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.
The representatives said they did not know how thieves acquired the usernames and passwords.
Punzenberger said that United has begun requiring customers to also enter their MileagePlus number when logging in.
Rick Seaney, CEO of Farecompare.com, says the thought of someone gaining access to an airlines rewards account is worrisome.
“The bad news now is that hackers have figured out that your award points and miles are a virtual currency,” Seaney said. “And, that currency can be traded – they can buy tickets for other people, they can buy goods in some cases, just depending on which airline and they can put that on the black market however that stuff is sold.”
Hilton Hotels recently began requiring members of its rewards program to click a link declaring that "I am not a robot," then enter a numeral generated by the site to complete the login process.