Members of British Airways Executive Club are reporting that their accounts appear to have been hacked, and emptied of their Avios reward points.
An email sent to some British Airways Executive Club members shed some light on the mystery, explaining that the airline has spotted “unauthorised activity” on the account, and consequently reset passwords.
Here is a typical email that users have been receiving:
Part of the email reads:
British Airways has become aware of some unauthorised activity in relation to your Executive Club account.
This appears to have been the result of a third part using information obtained elsewhere on the internet, via an automated process, to gain access to your Executive Club account.
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.
We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.
So, it appears that British Airways is claiming that Executive Club accounts were accessed because members were using the same password for their BA Executive Club account as they were on another service.
From the sound of things, the attackers managed to get hold of a database of usernames and passwords and then threw it at the British Airways Executive Club website to see if they would also unlock accounts there.
As I’ve said many times before, you should never use the same password for multiple websites.
A similar scenario played out against Starwood Preferred Guest and Hilton HHonours recently.
If you find it hard to remember lots of different, hard-to-crack passwords (which I would fully understand!) then I strongly recommend using a password manager like Bitwarden, 1Password, and KeePass.
There is some speculation online that British Airways may have proactively zeroed Avios points from users’ accounts to prevent them from falling into the hands of unauthorised parties. However, I have found no official confirmation of this.
Judging by messages in discussion forums, it’s clear that some Executive Club members are less than amused by the sudden disappearance of their Avios points:
In other posts, users describe how criminals appear to have used their Avios points for fraudulent purposes.
If you have any concerns, my recommendation would be to contact BA’s customer service team (who are probably quite busy right now) and change your British Airways Executive Club password.
But, please, don’t use the link that the BA email includes in its warning message. They should never have included a clickable link when they invited you to reset your password, as that’s a classic trick used by criminals phishing for login credentials.
I called BA Exec club around 7.30pm yesterday evening after finding a zero avios balance. I was definitely told that BA had reduced my account balance to zero because of suspicious activity, which I took to be on my account.
My statements shows the adjustment ex-gratia, this is the normal identification I see from BA when they are adding avios due to some service issue.
I too can't believe that they included a clickable link.
Typical: they lose customer data (perhaps an employee followed a clickable link to somewhere they shouldn't) and then suggest that customers click on a typical phishing-style scam.
If we can't educate security people to avoid putting clickable links in emails, how can we possibly hope to educate ordinary users not to click on them?
And now we can expect fraudulent emails to be spammed out concerning this hack, but with the clickable link going to a naughty web site.
I had one of these emails. The bit that most aroused my suspicion was not the clickable link, but the "Dear Customer" bit at the top. Pretty sure British Airways know my name, unless the hack was worse then we thought and someone wiped their entire database of customers' names.
This is rubbish blaming. I use distinct and complex passwords for every account where a PW is requested, yet my BA Executive Club account was frozen this weekend and I have been locked out ("Sorry, we don't recognize your account number") with no email from BA letting me know about this, thank you very much. Called BA and they said that I had to log on and reset my password but I cannot log on, so I'm caught in a Catch 22 whilst BA is to occupied to give a fig.
Your advice to not use the link in the email which BA send out is erroneous – there is no other way to reset the account.
Yes it looks like a typical phishing email – that's coz BA are stupid & can't think what things look like to normal people. You cannot just go to ba.com & reset your password if your account has been frozen. How do I know this? I've been affected, had my account stripped of 128k Avios & after phone calls, tweets & Googling was told that you have to click on the link they sent in the very dodgy looking email.
And yes – it has been pointed out to them their shortcomings in communication.
I checked my account yesterday and found that the mobile number had been changed to a Russian one. I changed it back and my miles are still there. Passwords now changed. Close escape there…
I received the email confirming I had changed my email address, which I had not. A few days later I tried to log in only to find the pin had been changed. Phoned BA and yes, people had already spent my points on a hotel, without me being informed of anything.
They said that they are having a lot of fraud problems currently with strangers changing the emails of existing customers, using all the stolen account information obtained in March. The gangers then change the genuine customer pins to lock them out. Then using their ID details to book holidays etc all in a matter of hours. BA should not allow a change of email without a manual check and phone call to check the security details.
My BA account was hacked on 14 February. My access to the account was blocked by BA until a month ago. BA knew that there should not have been any transactions in Feburary and said there had been no "unusual" activity. When I at last had access the account it showed that 117,000 of my Avios points (worth £1-5,000) disappeared on 14 February. BA had simply decided to lie every time I contacted them. (By the way, Avios is a BA subsidiary; the points per BA are the currency of the travel industry in other words it is like a BitCoin)
I of course contacted BA again once I knew of the theft of my property held in their custody, BA responded this week concluding no action was required as it is not "unusual".
It may not be unusual for BA to behave in this way but it is not acceptable.