Stolen usernames and passwords have been used by thieves to hack into the mileage accounts of frequent fliers at United and American, say the airlines.
Both carriers tell Tnooz they are confident that the usernames and passwords didn't come from their databases.
Unauthorized users stole the usernames and passwords from elsewhere, instead. They then randomly entered the log-in details into the airline sites.
The unauthorized users were operating under the assumption that customers might be using the same unimaginative username and password combinations for multiple online accounts.
In the case of American's AAdvantage program, there were about 10,000 matches, according to the Associated Press.
An American spokesperson told Tnooz:
"We have identified only a handful of cases where miles were used without the account holders’ authorization and tied to this account breach and have already restored these miles to these customers’ accounts."
A United spokesperson said most of the accessing of its MileagePlus accounts happened at the end of December. It has made whole the handful of accounts whose miles were depleted.
In the meantime, United has turned off sign in with email or username. You need your frequent flier number currently.
Hilton's loyalty program was hacked in a similar method last year. About 20 travel websites have been compromised in a similar way in the past year, according to a security monitoring company who spoke to PC Mag.
That source -- Alex Holden, CTO of Hold Security, a digital investigator -- claims that "travel-site data is now fetching about the same price in the criminal underground as that from dating and employment websites," which were the previously most popular categories.
In light of these hacks, travel brands may want to review this Tnooz article from November: "How to do a better job protecting loyalty accounts."
They may also be inclined to encourage their customers create secure passwords, such as by using ones automatically generated and saved by services such as 1Password and other password managers mentioned by LifeHacker earlier this week.
Boarding Area was first to report on the travel hacks.
NB: Image courtesy of Seth Miller of The Wandering Aramean http://blog.wandr.me/2014/12/united-mileageplus-data-attacked/