Fraudsters Target United Frequent Fliers

Several Thousand MileagePlus Accounts Exposed
Fraudsters Target United Frequent Fliers

United Airlines is notifying some of its MileagePlus members that unauthorized individuals accessed frequent flier accounts by using usernames and passwords obtained from third-party sources.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

"These usernames and passwords were not obtained as a result of a United data breach, and United was not the only company where attempts were made," says a notice sent to MileagePlus members, which was obtained by Information Security Media Group.

United's frequent flier program has an estimated 95 million members, says Rahsaan Johnson, a company spokesperson.

Starting around Dec. 9, the intruders attempted to access the accounts using the usernames and passwords obtained elsewhere, "since many people use the same username and password for multiple accounts and websites," United says.

For accounts where the credentials matched, the intruders were able to gain entry and obtain members' MileagePlus numbers, account balances and Premier status. Other account details, such as mailing addresses, also may have been viewed, United says. The intruders were not able to view credit card numbers because they are hidden except for the last four digits.

Several thousand accounts were inappropriately accessed, Johnson says, though an exact number could not be confirmed. For approximately three dozen accounts, the intruders were able to make a mileage transaction, such as booking a ticket, Johnson says.

United temporarily suspended MileagePlus accounts that may have been impacted, and members were given steps to have their password, username and security questions updated.

The reuse of usernames and passwords across multiple websites contributes to a higher rate of fraud, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "To address this trend, businesses can implement two-factor authentication," he says.

In addition, organizations can bolster their password policies, such as requiring frequent password changes as well as encouraging the use of password managers, Pascual says.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.