Fraudsters Target United Frequent FliersSeveral Thousand MileagePlus Accounts Exposed
United Airlines is notifying some of its MileagePlus members that unauthorized individuals accessed frequent flier accounts by using usernames and passwords obtained from third-party sources.
"These usernames and passwords were not obtained as a result of a United data breach, and United was not the only company where attempts were made," says a notice sent to MileagePlus members, which was obtained by Information Security Media Group.
United's frequent flier program has an estimated 95 million members, says Rahsaan Johnson, a company spokesperson.
Starting around Dec. 9, the intruders attempted to access the accounts using the usernames and passwords obtained elsewhere, "since many people use the same username and password for multiple accounts and websites," United says.
For accounts where the credentials matched, the intruders were able to gain entry and obtain members' MileagePlus numbers, account balances and Premier status. Other account details, such as mailing addresses, also may have been viewed, United says. The intruders were not able to view credit card numbers because they are hidden except for the last four digits.
Several thousand accounts were inappropriately accessed, Johnson says, though an exact number could not be confirmed. For approximately three dozen accounts, the intruders were able to make a mileage transaction, such as booking a ticket, Johnson says.
United temporarily suspended MileagePlus accounts that may have been impacted, and members were given steps to have their password, username and security questions updated.
The reuse of usernames and passwords across multiple websites contributes to a higher rate of fraud, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "To address this trend, businesses can implement two-factor authentication," he says.
In addition, organizations can bolster their password policies, such as requiring frequent password changes as well as encouraging the use of password managers, Pascual says.