14 DAY TRIAL // Some members of the MileagePlus frequent flyer program from United Airlines have been locked out of their account as the company has announced that their credentials were compromised.
The incident was not caused by an attack on United Airlines systems but by a breach on a third-party service.
Recycled passwords are at fault
In the email sent to affected individuals, the company explains that many people recycle their passwords for use on multiple online services.
Hackers are aware of this insecure practice, and when they compromise a service they also try to use the log-in data on other websites.
It appears that the illegal activity began around Christmas Eve, when multiple attempts to log into MileagePlus accounts were recorded by the company.
“Since approximately December 24, 2014, the unauthorized party attempted to access MileagePlus accounts with these usernames and passwords, since many people use the same username and password for multiple accounts and websites,” United Airlines says in a message to the individuals that have been identified to be affected by the incident.
The perpetrators gained access to the MileagePlus number, account balance and Premier status, but at the moment of sending the notification, there was no evidence that any of this information had been stolen.
Additional details exposed could include email addresses; credit card numbers are safe, as the user profile only shows the last four digits, which are of no use for the cybercriminals.
Company suspends MileagePlus account to avoid fraud
In order to protect its customers, United Airlines has suspended the accounts of the MileagePlus members who have been identified to be impacted by the incident.
The notification letter from the company instructs calling the Service Center, where a MileagePlus agent will help the customer with changing the password, username, PIN code, and the security questions.
The recommendation from the company, and from security experts, is to avoid using the same password for logging into multiple online services. Also, regularly reviewing the profile information and other profile-related details for unauthorized modifications would help detect fraud at an early stage.
Miles accumulated by frequent flyers are often targeted by hackers, as they convert them into cash quite easily through various online services. Some airline companies offer the possibility to translate them into gift cards.
However, the most straightforward method is selling the miles to brokerage services specifically created for this purpose.
Cybercriminals could also sell the miles to someone else by transferring the miles to their account. The buyer can then purchase flight tickets with a considerable discount applied or even get them for free.
On some underground forums, the frequent flyer miles are also used as currency for other goods.