If you set the combination of your frequent flyer accounts to 1-2-3-4-5 (or your luggage), that’s not secure and anyone can guess it.
Award Wallet, the system I continue to use to track my frequent flyer accounts, identified a brute force attack where less than 1/10th of 1% of their members’ accounts were compromised. Most of those either had:
- the same username and password (Username “JohnSmith” and password “JohnSmith”), or
- a password like abcd (which might as well be 1-2-3-4)
Award Wallet identified all of the affected accounts and notified members. They also verified that as of this writing no one had their accounts drained of miles.
A system like Award Wallet is still good for your account security. There’s no substitute for checking your account balances regularly to identify whether any miles are disappearing. If you check your miles daily as I do, with a single click, you’re going to be far more secure than if weeks go by without your noticing missing miles.
And Award Wallet offers two-factor authentication. You should use it. This is something I’m required to do for access to my work files, and I care about my miles at least as much (don’t tell my boss).
Here’s the message Award Wallet sent out to the 250 affected members:
Today we have detected that a hacker tried accessing AwardWallet accounts using a brute-force method. Please note that we lock accounts whenever multiple invalid logon attempts happen; however the hacker was still able to login to about 250 accounts. There were different types of accounts compromised:
(1) accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) and
(2) accounts whose passwords were not unique to AwardWallet and were already compromised via different website, or passwords that were easily guessable, like abcd.
Unfortunately, your account was one of those 250 accounts. The hacker then was able to get all of your loyalty account usernames and passwords that you have stored in AwardWallet. This means that you need to change all those loyalty account passwords immediately to avoid the possibility of those accounts being compromised and you need to reset your AwardWallet password using this link:
Please set a unique password that you never used anywhere else and please make it complex.
We also suggest you login to all the loyalty accounts for which you have stored credentials on AwardWallet and see if there has been any unauthorized activity. We checked and as far as we see there were no deductions from any of the affected loyalty programs as a result of this issue. If there has been unauthorized activity, please contact the loyalty program to report the unauthorized activity but also please let us know and we will do what we can to help you recover your points/miles.
We sincerely apologize for this! Please also note that there is not much we can do to protect your account if you use a password that is either the same as your login name or if your password is not unique to AwardWallet. Hackers are very sophisticated and if there is any easy way to guess a password, they will guess it.
Finally, we strongly recommend you to enable two-factor authentication on your account:
As a courtesy, we’ve also upgraded your account to AwardWallet Plus for the next 12 months.