A Hacker Is Trying To Get Into Your Your Loyalty Program Accounts. Here’s How To Stop It.

Brian Krebs of Krebs On Security reports that there’s an ongoing effort to access email accounts in order to drain your gift cards and loyalty program accounts. By gaining your credentials they’re able to sell your points for cash. There’s a simple solution to this.

In most cases your loyalty program points are going to be protected – which is to say that eventually most loyalty programs make good, though you may have to go through layers of customers service and it may take some time. It’s a bad look for a company to shrug their shoulders when a program member is robbed like this. And it’s bad business, too, because balances worth stealing from belong to customers who are usually profitable.

The number one thing you can do to protect your loyalty accounts, in my view, is to sign up for Award Wallet. Put your accounts there so one click updates your balances. Do that every day. By making it easy to view changes (activity) in your account, you’ll know right away when the account has been compromised.

Your biggest enemy in loyalty program fraud is simply not knowing that it happened for some time. With a daily update of your balances you’ll know right away.

You should also, of course, check your credit report regularly even though it doesn’t appear that this hacker is opening financial accounts or making charges to existing accounts.

And if Google Chrome tells you the password you’re using on a given website has been compromised, by all means don’t use that password anymore. However most passwords that have been used have likely already been hacked or are easy to guess (12345 or password).

(HT: @istrakhov)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. Someone hacked my Hilton Honors account in early July and had a very nice weekend in Florida at my expense. I’ve since spent several hours on the phone with Hilton and sent numerous emails. I was told by email almost a month ago that their fraud department was looking into it and I would hear back from them within 7 to 10 days. That never happened. Calling them gets no results; after spending a half hour on the phone waiting to speak with someone I am told only that they are still investigating it. Meanwhile, my points account has been dwindled down to almost nothing. I don’t know what to do at this point.

  2. No thanks – IMHO adding Award Wallet is just one more point of failure. Maybe I’m overly anal but I check my balances at least once a week plus look at activity (mainly due to seeing if points credited and promotions are posted). I would notice a change. Also, I was in IT for almost 40 years and was CTO or CIO of a couple of companies so am very aware of hacking, spoofing and phishing methods plus have numerous protections on my home network and mobile devices (plus 2 factor protection on many sites if not signing in from a known device).

    Maybe this works for people that never check their accounts but I don’t need it. To me it is a band aid and you really need to understand the cause of the problem and how to best avoid it instead of just seeing it after the fact which is basically what you are recommending.

  3. If available enable 2 factor authentication(2FA). Use google passwords from a google account protected by 2FA. Never click any link on spam text message or email.

  4. The best defense is to use your points. Points are not like good wine — they don’t get better with age. But what’s not there can’t be stolen.

  5. 1. If possible, don’t use your email address as your user name for accounts.
    2. Don’t use an email address that is easily identified with your name.
    For example, 9FN43PM6@gmail.com
    3. Have separate email addresses for different purposes — one being solely for regular email, point accounts, banks, etc.
    For example, 9FN43PM6.points@gmail.com or 9FM43PM6.banks@gmail.com
    4. Use a complex password such as that suggested by your browser.
    5. Change your email account passwords each calendar quarter.
    6. As Nick suggests, use two-factor authentication.
    7. As others suggest, check your balances regularly. You are the best fraud department.

    Now, about your car’s extended warranty . . .

  6. AC has a good point – Award Wallet is useful, but also a potential target themselves.

    IMO, the solution here is to use a password manager like 1Password, Dashlane, or LastPass and just create better passwords. Unlike 5-10 years ago, nowadays most sites will let you use ridiculously long and complex passwords (many of mine are >50 characters), which makes the only realistic path into your accounts either social engineering or breaking into your password manager account (still a risk, but a manageable one).

    2FA can be useful as well, but has its drawbacks (if your phone is your 2FA device, and you lose your phone…).

  7. Award wallet has mfa you can enabled and also has the option to store the passwords locally on your computer instead of their servers

  8. Aren’t their loyalty program-targeting thieves operating by targeting the baggage tag info of travelers with priority bag tags? From the PNR and name on the baggage tag, there is often a way to access enough details for a loyalty program thief to get started without even relying upon a technologically more sophisticated hacking effort.

  9. I used Award Wallet for years, until they little by little dropped most of the rewards programs to which I belonged. DL was the last one, the proverbial “straw” — after it was no longer supported, I stopped using Award Wallet.

  10. My wife had 170k point stolen from her Chase Sapphire and Chase Ink accounts. The accounts were locked with two factor authentication and supposed to get an email for account changes. The hackers were able talk a Chase operator into giving them access to the accounts without password or answering any of the account security questions. Even worse there was no notification of the changes or interaction to our email or text, which are both set up for notifications. They were so smooth it almost seemed like an inside job. We’re pretty sure they used data from a school yearbook company data leak. Chase gave us the points back pretty easily. In hindsight, I don’t think there is anything we could have done to prevent the theft.

    Best of all the hackers transferred 100k INTO our account from some random person, then transferred all of it out to some other random person. How did transfer chain of points that clearly violates the terms of the program not throw up red flags?

  11. Award Wallet is great & secure, just use 2FA. Also, it notifies you when your balance changes in an account & when reservations are made. The airline problem is the airlines not allowing AW access.

  12. The idea of putting all your info on yet another website to protect it makes no sense to me whatsoever. I’ll keep my own tabs on my stuff.

  13. Statistically, the best thing you can do to prevent hacks is not reuse passwords. If you’re still using the same password on your AA, Citibank, Marriott, etc. that was leaked in a Geocities breach in 2010, gaining access is a matter of copy and pasting. Other steps like two-factor authentication are great additional risk reduction, but having a two-factor code sent when you use the same password on your email is unhelpful.

Leave a Reply

Your email address will not be published.