My AAdvantage account was hacked: Here’s what happened and how you can protect yourself | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Imagine my horror when I woke up early one Tuesday morning to find several emails from American Airlines AAdvantage and Rocket Rental Car Awards confirming my successful redemption of hundreds of thousands of AAdvantage miles for several car rentals set to begin later that day.

The problem was I hadn’t made any redemptions.

Instead, I’d been the victim of fraudsters who’d managed to hack into my American Airlines account and spend almost all my AAdvantage miles.

Emailed confirmation of fraudulent booking from American Airlines. AMERICAN AIRLINES

Someone had used my miles the night before to book two rentals from Avis via Rocket. Of my more than 400,000 stockpiled AAdvantage miles, there were just over 20,000 miles left in my account.

Here’s what happened and how you can prevent it from happening to you.

How I handled the fraud

There was a booking for a Chevrolet Suburban for someone named Keith White at John F. Kennedy International Airport (JFK) for nearly 300,000 miles. There was another booking under the name Pamela Williams at Memphis International Airport (MEM) for a Toyota Camry for just over 152,000 miles.

Needless to say, those redemptions weren’t mine.

The first thing I did was to try and prevent the thieves from picking up the cars. I called the customer service number for Rocket Rental Car Awards, which is the company that takes care of award redemptions (it’s actually a part of AAdvantage Hotels). After a short wait, I talked to a customer service agent who took the information and told me the company would reach out to Avis to try to cancel the reservations.

There was a bit of a language barrier, but the agent promised they would do their best to get ahead of the thieves and prevent the vehicles from being picked up. Did that ever happen? I have no way of knowing, but it did make me feel better. The company representative told me that they would also submit a ticket with Avis to get a refund of my miles for both bookings.

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

The next thing I did was call American Airlines to tell them my account had been hacked. Unfortunately, the American Airlines fraud team doesn’t start work until 9 a.m. Texas time (where AA is based).

They did immediately shut down my old AAdvantage number. They told me they couldn’t reverse the fraudulent redemption immediately, but they would give me a new AAdvantage number right away. I was required to give them a new email address, which I’ve come to learn is standard when AAdvantage accounts are compromised. They also told me to call back in a few hours to speak to a representative in the fraud department.

I’m not sure why the fraud department isn’t open 24 hours a day, seven days a week, but I’m told by other people who’ve been victims that they’ve encountered a similar issue. Former TPG writer Senitra Horbrook had her AAdvantage account compromised recently as well, and she had a lot of trouble getting ahold of security teams.

In any case, I had a new AAdvantage account number within a few hours. It took a few days after that, but I was eventually notified that my Executive Platinum status carried over to the new account. My trip credits and companion certificates from holding the AAdvantage® Aviator® Silver Mastercard® also carried over.

The information for the AAdvantage Aviator Silver Mastercard has been collected independently by The Points Guy. The card details on this page have not been reviewed or provided by the card issuer.

Unfortunately, my stolen miles didn’t show up right away. More on that below.

Later that day, I finally got connected to the AA fraud team, but the story doesn’t end there. The security team created a case for me, and they also told me I would need to file an actual police report.

Related: Your ultimate guide to American Airlines AAdvantage

I was shocked to find out that’s how stolen miles are handled. Not only did I need a police report, AA would not accept an email. They wanted a full PDF or a screenshot. Also interesting to note: American Airlines considers the 449,000 miles to be worth a whopping $13,260.25.

AAdvantage fraud department email. AMERICAN AIRLINES

I was absolutely gobsmacked since I knew I would now have to deal with the New York City Police Department. As I researched how to file a police report, I was surprised to find that you can’t currently do it online for the city. (This was an option at one point, but it’s currently disabled.)

This meant a trip to the 20th Precinct on 82nd Street on the Upper West Side of Manhattan.


After passing a security barrier and explaining to an officer why I was there, he let me enter the shabby waiting area. After about 20 minutes, a friendly police officer asked me to fill out several forms. I could tell no one wanted to deal with it. However, after writing a detailed description of what happened on a few forms, the officer eventually got a detective to come to the waiting area, take the report and ask me a few more questions.

Once I was done, they also told me that the NYPD doesn’t give a copy of the police report to victims of crimes. I was pretty dumbfounded at that news, explaining that American Airlines was demanding a formal police report if I wanted to get my missing miles back.

I was told in no uncertain terms that there was nothing they could do, and they wouldn’t even give me a report number. I was told I would have to go to a special office at police headquarters in lower Manhattan at some point if I wanted to request the documentation.

I walked away from the station very, very frustrated.


At this point, I wrote to my case manager at American Airlines, Mariana, and let her know that the NYPD wouldn’t give me a police report.

Hello Mariana,

I went to the 20th precinct in Manhattan and spent an hour and a half
there filing a police report as you requested. Unfortunately, the New
York Police Dept. will not give me a copy of the police report. They
wouldn’t even give me the report number. I’m not sure what else I can do
here. Please advise. I’m not sure how much more I can do. As you know, I
did cancel both the fraudulent rentals with Rocket Miles, but I am
worried now I won’t get my miles back. Not sure how to get around the
NYPD! Please let me know next steps.

She wrote back, saying I would have to file a supplemental report.

Letter from American Airlines customer service. AMERICAN AADVANTAGE

Oh boy.

By now it had been three days since I first discovered my hacked account.

The next day, I got some better news, though. I received a call from a very nice NYPD detective who told me that not only was she following up on my case, but she would send me a copy of the police report after all. I’m not sure why I’d been told I couldn’t get a copy, and neither did she.

She just wanted to know a few more details.

A little later, I received a copy of the police report via email, which I promptly sent off to my new friend Mariana.

New York City Police Department report. NYPD

The next day I received a letter back saying they’d received and were reviewing the police report; they advised me to “allow 30 days from today’s date for resolution.”

Email from American Airlines AAdvantage customer service. AMERICAN AIRLINES

Despite the warning that it could take up to a month to get my miles back, the “car award” redemptions were credited back to my AA account by Feb. 26.

I ended up with all my miles restored. All in all, it had taken just one week to resolve. That’s pretty speedy, but I don’t love all the hoops I had to jump through.

Loyalty Points activity. AMERICAN AIRLINES

Strangely, a few weeks ago, I got two emails from AAdvantage Hotels saying they had investigated my cases but weren’t able to get a refund of miles.

“We made multiple contacts with Avis Rent a car to negotiate a refund for your reservation due to fraud booking,” read the email. “We have provided them with the necessary documentation and thoroughly explained the nature of your cancellation. Despite our efforts, our rental partners have decided to enforce the current policy and are not willing to refund.”

Email from AAdvantage Hotels concierge. AADVANTAGE HOTELS

Fortunately, as I mentioned previously, my miles had already been refunded by American Airlines, so despite the unhelpfulness from AAdvantage Hotels, I was made whole by American Airlines.

That’s great since airlines and hotels are not legally required to make you whole when your miles or points are stolen. Most travel companies will work with you to help, but there are no guarantees.

How to protect your frequent flyer accounts


Related: Chasing American Airlines elite status? Here are ways to earn Loyalty Points

While most airlines and hotels won’t share how often accounts are compromised, it does seem to be happening a lot lately.

Passwords are being compromised. Emails and passwords for frequent flyer and hotel loyalty programs are being stolen and sold on the black market.

Anecdotally, I’ve been hearing lots of other people have also had their frequent flyer account compromised. As I mentioned earlier, my former TPG colleague Senitra was also victimized in the past few months. “I did have my AAdvantage account hacked last month while I was in Japan,” she said. “I didn’t have any miles stolen though, so I’m glad I didn’t have to deal with that part. It’s still not totally resolved.”

Senitra received an email saying the email address on her account had been changed. The thieves had also changed the password, so she couldn’t log in. Like me, Senitra got a new AAdvantage account, but she has been unable to completely transition to the new account since she is waiting for some issues that corporate security at AA has to resolve first. “So for now, I have a new account with all my miles in it. And an old (hacked) account with 0 miles, but it still has all of my existing reservations and my Platinum status,” she told me.

The same thing has happened to several folks in the American Airlines frequent flyer Facebook Groups that I follow as well.

So, what should you do to protect your accounts?

The first thing you can do is change your password — especially if you have had the same password on your account for some time. I hadn’t changed my password since I opened the account in the 1990s. I knew better and never took the five minutes to change my password a few times. That may have saved me all this time and agita.

In fact, you should be using new, unique and difficult passwords for each of your accounts. If thieves get ahold of a password you use for multiple accounts, they could potentially also get into your other accounts.

Speaking of which, you should keep a close eye on your various loyalty account balances and make sure nothing looks amiss. We always tell people to “water your reservations” to make sure trips haven’t changed, but it’s also a good idea to keep an eye on your balances to make sure nothing is missing.

Experts say it’s also a good idea to consider a password manager that can generate strong passwords. Friends of mine recommended 1Password.

You can also use multifactor or two-factor authentication, which requires an extra step to log in to your accounts. For example, you’d need to enter a password and then get a text with a code that you enter to unlock the login. Most hotel programs, including Hilton Honors and Marriott Bonvoy, are now using two-factor authentication.

Marriott two-factor authentication prompt. MARRIOTT BONVOY

Finally, be aware that thieves are getting more and more sophisticated when it comes to stealing your hard-earned points and miles. TPG’s Tarah Chieffi wrote a complete guide to the new ways fraudsters are targeting consumers, including via social engineering scams and voice or customer service scams.

Bottom line


As I’ve reported, I love my AAdvantage status. I’ve used my miles for some incredible redemptions for international business-class trips all over the world. I would have been devastated if I’d lost my miles.

Fortunately, my story of stolen miles had a happy ending. American Airlines came through in the end, despite the paperwork frustrations. I learned a lot about this growing category of crime, and you can bet that I’ll be paying closer attention to passwords and account security going forward.

Related reading:


Click Here For The Original Story From This Source.


National Cyber Security