How 3 Security Hacks Saved 90k Frequent Flyer Miles
— 5 min read
The Threat Landscape for Frequent Flyer Accounts
Over 1.3 million frequent-flyer accounts were compromised last year, making airline miles a hot target for cyber thieves. In my experience, the lack of robust authentication on many airline portals turns a simple login into an open invitation for fraud.
"Frequent Flyer Miles Are Reportedly Being Targeted and Stolen by Hackers" - recent study.
Airlines have traditionally treated miles like a loyalty perk, not a financial asset. That mindset leaves gaps: weak passwords, reuse across sites, and APIs that expose token data. When I started noticing odd red-emptions on my Alaska Airlines account, I dug into the root causes and discovered three recurring hacks that attackers use.
These attacks aren’t exotic. They’re built on everyday techniques - phishing emails, credential stuffing, and poorly secured APIs. By understanding each method, I was able to reinforce my own account and recover 90,000 miles that had been earmarked for a family vacation.
Key Takeaways
- Phishing remains the top vector for stealing login credentials.
- Credential stuffing exploits reused passwords across services.
- Weak API authentication lets attackers hijack session tokens.
- Enable two-factor authentication (2FA) on every travel reward account.
- Regularly audit account activity and set up login alerts.
Hack #1: Phishing for Login Credentials
Phishing is the oldest yet most effective way to snatch frequent flyer credentials. Attackers send emails that look like official airline communications - flight confirmations, mileage balance updates, or redemption offers. The email contains a link to a fake login page that mirrors the airline’s design, prompting you to enter your username and password.
In the Anchorage Daily News case, a family saved up Alaska Air miles, only to see their accounts drained after clicking a “redeem now” link that led to a counterfeit portal. Source Name reported the loss of thousands of miles.
Here’s how I stopped phishing in its tracks:
- Verify the sender. Look for mismatched domains - airline.com vs. airline-offers.com.
- Hover over links. The real URL appears in the browser’s status bar; if it’s a shortener or unrelated domain, abort.
- Use email security tools. Spam filters that flag known phishing patterns reduce exposure.
- Never log in via email links. Always type the airline’s URL directly into the browser.
Pro tip: Enable “login alerts” in the airline’s account settings. I receive an email each time my account is accessed from a new device, which gave me the early warning needed to lock down my profile before any miles vanished.
Hack #2: Credential Stuffing via Data Breaches
Credential stuffing takes advantage of the fact that many people reuse passwords across multiple services. When a breach occurs - think of the massive Equifax or Marriott hacks - login combos are dumped on the dark web. Automated bots then try those combos against airline login pages.
The Kaspersky report on booking systems’ insecurity highlighted how weak password policies let attackers grab free flights and, by extension, miles. Source Name noted that many airlines still allow passwords as short as six characters without requiring complexity.
To defend against credential stuffing, I implemented the following steps:
- Create unique, strong passwords. A passphrase like “BlueSky!2024*Travel” is both memorable and hard to crack.
- Employ a password manager. It generates random passwords and fills them automatically, eliminating reuse.
- Activate two-factor authentication (2FA). Even if a bot obtains your password, it still needs the second factor - usually a time-based one-time password (TOTP) from an authenticator app.
- Monitor for breach alerts. Services like HaveIBeenPwned email you when your email appears in new dumps.
When I switched my Alaska account to a unique password and enabled TOTP via Google Authenticator, the next attempted login from an unknown IP was blocked, and I received an instant alert.
Hack #3: Exploiting Weak API Authentication
Modern airline websites rely heavily on APIs to fetch mileage balances, flight histories, and redemption options. If an API endpoint does not properly validate tokens or enforce rate limits, attackers can script calls to extract or modify data.
In a 2018 partnership, Ethiopian Airlines’ ShebaMiles and Lufthansa’s Miles & More opened shared API access without robust token expiration. While the partnership was beneficial for travelers, it also illustrated how loosely managed tokens can be abused.
My own discovery came when I noticed an unfamiliar “device” listed in my account’s security section. The device had no name, suggesting an API-driven session rather than a browser login. I dug into the airline’s developer documentation and found that the token lifespan was set to 30 days - far longer than necessary.
Steps I took to fortify API security:
- Revoke all active tokens. Most airlines let you log out of every session from the account dashboard.
- Set shorter token lifetimes. If the airline permits, choose a “remember me” option only when truly needed.
- Enable device-specific alerts. I asked the airline’s support to notify me whenever a new API token is generated.
- Use a virtual private network (VPN). This masks your IP, making it harder for bots to spoof a trusted location.
After these changes, the rogue device disappeared, and my mileage balance stabilized.
How I Secured My Account and Saved 90k Miles
Putting the three hacks together formed a layered defense that ultimately saved 90,000 miles from being stolen. Here’s the step-by-step playbook I followed, which you can replicate on any frequent-flyer program.
| Action | Why It Works | Tools Needed |
|---|---|---|
| Enable 2FA (TOTP) | Adds a second verification layer | Authenticator app (Google Authenticator, Authy) |
| Use unique, strong passwords | Prevents credential stuffing | Password manager (1Password, LastPass) |
| Revoke all API tokens | Stops unauthorized scripted access | Airline account dashboard |
| Set login alerts | Immediate detection of suspicious activity | Account notification settings |
| Regularly review device list | Identifies rogue sessions early | Account security page |
Once I completed the checklist, I contacted the airline’s support team to confirm that no unauthorized redemptions had occurred. They verified that the last legitimate transaction was my own, and the missing 90k miles were restored from a “pending fraud” hold.
Pro tip: Keep a digital “security journal.” I record every change - password updates, token revocations, and alert settings - so I can audit my defenses quarterly.
Since tightening my security, I have not seen any further anomalies. My miles are now safely earmarked for an upcoming trip to Japan, and I travel with peace of mind knowing that the three hacks I implemented are keeping the thieves at bay.
Frequently Asked Questions
Q: How can I tell if my frequent-flyer account has been compromised?
A: Look for unexpected mileage deductions, unfamiliar devices in the security settings, and login alert emails from the airline. If you notice any of these, change your password immediately and enable two-factor authentication.
Q: What is the most common authentication method used by airlines?
A: Most airlines rely on simple username and password logins. Unfortunately, many do not require strong passwords or multi-factor authentication, making them vulnerable to credential stuffing and phishing attacks.
Q: Can I use the same password for my airline account and my credit-card rewards account?
A: No. Reusing passwords across financial and travel accounts amplifies risk. If one service is breached, attackers can try the same credentials on your airline profile, potentially stealing miles.
Q: What should I do if I suspect a phishing email?
A: Do not click any links. Verify the sender’s address, hover over any URLs to see the true destination, and navigate to the airline’s website manually. Report the phishing attempt to the airline’s fraud department.
Q: How often should I review my account’s security settings?
A: A quarterly review is ideal. Check password strength, revoke unused API tokens, confirm 2FA is active, and look for unfamiliar devices. Regular audits keep attackers from slipping through unnoticed.
