Russian Hackers Have Started Stealing Frequent Flyer Miles

The Washington Post is reporting on Russian hackers stealing frequent flyer miles from British members. No doubt they’re interested in this story because Russia! Hacking! Elections!

Russian scammers have been living it up at posh resorts by purchasing reward points and air miles that had been lifted from British customers’ hacked accounts and then sold on the dark Web. The problem has become so widespread that an unidentified U.S. bank has “quietly blocked” the purchase of flights in Russia with the banks’ reward points…the scheme is also effective because, rather than using stolen credit card data to buy a flight, the thieves tap reward points because their theft might not be noticed right away by a card’s owner

In fact Delta has imposed restrictions on booking awards originating in Russia (as well as China and Africa) requiring that tickets issued for travel within 72 hours be handled at the airport in person. A lot of fraud by the way originates in China.

Loyalty fraud — and especially stealing miles from hacked accounts — has been a big issue for years.

American AAdvantage has been hacked before. So has British Airways Executive Club. And Starwood. And every other program, too. Miles in large quantities are for sale on the Darknet.

Airlines will often place restrictions on redeeming miles for travel from these areas, or redeeming points at hotels in these places, wanting to slow down or stop last minute activity especially which is much more likely to be fraudulent: you want to get your redemption done before anyone notices.

Frequent flyer programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.

Incidentally this is why I say the single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.

Here’s how to protect yourself:

  1. Don’t set your passwords to 12345

  2. Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.

  3. Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc.

    Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probbaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).

  4. Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.

  5. Use Award Wallet to track your accounts to make it easy to track your miles daily, so you notice right away when anything is amiss.

(HT: @VNITelevision)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. 1Password is the greatest tool to help. I have different passwords for each program and I don’t even know what they are. Also turn on 2FA for award wallet! I have a feeling like AW was the source of a couple of hacking incidents that happened to me, but I haven’t had any issues since turning on 2FA and also using 1Password.

  2. It’s amazing how these airlines haven’t enabled 2-factor authentication. United a few years back added security questions which they dubbed as 2-factor. 1 factor + 1 factor != 2 factor

  3. My pet peeve, though, with 2FA is setting questions that include terms like “favorite”.

    “What’s your favorite vacation destination?”

    “Who’s your favorite singer?”

    I mean , c’mon. Don’t ask a question that I may answer differently in a couple months.

  4. It would seem that using Award Wallet would make it LESS secure. Once you have that one now has multiple accounts.

  5. @colleen, You should never treat those “stupid security questions” as real questions. Instead, they are 3 more username-password pairs and the answers should be just as difficult as your strong password.

    “What’s your favorite vacation destination?” Why it’s “WxByZTcobE)s;yo3wgg7ZWKpcG3LW”, of course.

    A password manager helps you remember the answer.

  6. Seriously, probably about 1/3 of your readers statistically speaking can’t/won’t understand a word about Russian Hacking.

  7. @Mark You are obviously a liberal a**hole that blames everything on Trump. Get a life as you are going to deal with the “family” for some time to come.

  8. Gary your password advice is outdated. The biggest determinant of how strong a password is is its length, not replacing random characters with numbers and symbols.

    p4ssw0#d is not different from using password.

    The best defense is to use long pass phrases. “My horse green blue cat dog fish” as an example is easier to remember, easier to type and far more secure than what you suggested.

  9. What will Award Wallet do for you if they’re hacked? Putting all of your eggs in one supposedly safe basket is great as long as the basket itself is safe.

  10. Some good tips. I dont think award wallet is a big security bonus but I do like it. It would be nice if companies would offer 2FA and a sub account log in that will only show balances but not give access to the account.
    @collen brings up a good question (unlike some of the anti trump haters). I think she missed the point about favorite questions. You come up answers that don’t make sense. For example “what was the model of your first car?” The answer isnt “Buick” or whatever the answer is nonsense like say “chocolate”. The problem is with the multiple choice questions or answers setup that gives it all away.

  11. @Bill and @DaninMCI thanks so much from this admitted luddite for the great tips. I’ll be making changes because of them. That, and because I can no longer answer “Kenny Loggins” with a straight face.

  12. Not to hackers, focus your efforts on 1password and the like and get access to many more miles per hack.

Comments are closed.