Protecting your frequent flyer miles requires treating your airline account with the same vigilance you apply to your bank account: use a unique, complex password, enable two-factor authentication if your airline offers it, monitor your account balance regularly, and never click links in emails claiming to be from your airline. These four steps will stop the vast majority of miles theft attempts, which typically succeed because travelers reuse passwords from breached websites or fall for phishing emails that mimic airline communications. In 2015, American Airlines and United Airlines suffered coordinated attacks where criminals used credentials stolen from other data breaches to access thousands of accounts and drain miles””a stark reminder that loyalty program security matters.
The theft of frequent flyer miles has grown into a sophisticated criminal enterprise worth hundreds of millions of dollars annually. Unlike credit card fraud, where federal law limits your liability to $50, stolen airline miles exist in a legal gray area with no guaranteed reimbursement. Airlines technically own the miles and can deny claims at their discretion. This article covers why frequent flyer accounts have become prime targets, the specific tactics criminals use to steal miles, how to lock down your accounts across major airlines, what to do if your miles disappear, and the limitations of airline security that you need to work around.
Table of Contents
- Why Are Frequent Flyer Miles Such Attractive Targets for Thieves?
- How Do Criminals Actually Steal Your Miles?
- Setting Up Strong Authentication on Major Airline Loyalty Programs
- Monitoring Your Miles Balance and Account Activity
- What to Do When Your Frequent Flyer Miles Are Stolen
- The Legal Gray Area of Frequent Flyer Mile Ownership
- Understanding Airline Data Breaches and Third-Party Risks
- Emerging Protections and the Future of Loyalty Program Security
- Conclusion
Why Are Frequent Flyer Miles Such Attractive Targets for Thieves?
Frequent flyer miles represent a form of currency that criminals can monetize quickly while facing minimal risk of prosecution. A single compromised account with 100,000 miles can yield $1,000 or more when converted to gift cards, merchandise, or tickets sold on secondary markets. Unlike bank accounts, loyalty programs rarely trigger fraud alerts when someone logs in from an unusual location or makes a large redemption. The gap between when miles are stolen and when the victim notices can stretch for months, giving criminals ample time to cover their tracks. The underground economy for stolen miles operates with remarkable efficiency. Criminal forums sell compromised airline accounts sorted by balance, with high-value accounts fetching premium prices.
Buyers then redeem the miles for easily fenced items: Amazon gift cards, electronics, or hotel stays that can be resold. Some operations have scaled to industrial levels””in 2020, a Nigerian fraud ring was caught selling stolen airline tickets worth over $2 million, purchased using miles from hacked accounts across multiple carriers. Airlines have historically invested less in loyalty program security than banks invest in protecting checking accounts, despite similar dollar values being at stake. Many carriers still don’t offer two-factor authentication, rely on easily guessable security questions, or use numeric-only PINs that can be brute-forced. This security gap persists partly because airlines profit from expired miles and have less financial incentive to make accounts impenetrable. The result is a target-rich environment where criminals face few technical barriers and minimal consequences.
How Do Criminals Actually Steal Your Miles?
Credential stuffing represents the most common attack vector, where criminals take username and password combinations leaked from other website breaches and test them against airline login pages. Since an estimated 65% of people reuse passwords across multiple sites, a single data breach at an unrelated company can expose thousands of airline accounts. Automated tools can test millions of credential pairs per day against airline websites, flagging successful logins for manual exploitation. The 2015 attacks on United and American Airlines used exactly this method, with stolen credentials from previous breaches at other companies. Phishing attacks specifically targeting airline customers have grown increasingly sophisticated. Criminals send emails mimicking official airline communications””fare sales, account security warnings, or mileage expiration notices””that link to convincing replica login pages. Once victims enter their credentials, attackers harvest them in real time.
Some phishing operations intercept two-factor authentication codes by relaying victim inputs to the real airline site simultaneously, defeating even this protection. A 2019 Delta phishing campaign was so convincing that it fooled security researchers, featuring perfect logo reproduction and valid SSL certificates. However, not all miles theft involves hacking. Social engineering attacks target airline call centers, where criminals impersonate account holders using publicly available personal information. With a name, address, and email””often scraped from social media or data broker sites””attackers can sometimes convince agents to reset passwords or change contact information. Some airlines have weak verification procedures that accept easily obtained data like the last four digits of a phone number. This explains why miles sometimes vanish even from accounts with strong passwords and two-factor authentication enabled.
Setting Up Strong Authentication on Major Airline Loyalty Programs
Each airline offers different security features, and knowing what’s available””and what’s missing””helps you maximize protection. Delta SkyMiles provides two-factor authentication through their mobile app, sending push notifications for login approval. United MileagePlus offers SMS-based two-factor authentication, though this is less secure than app-based methods due to SIM-swapping vulnerabilities. American Airlines AAdvantage lags behind, offering only security questions as an additional layer””a weak protection easily defeated by information found on social media or in data breaches. For airlines without two-factor authentication, password strength becomes your primary defense. Create a password at least 16 characters long, combining uppercase and lowercase letters, numbers, and symbols. Critically, this password must be unique””never used for any other account.
Password managers like 1Password, Bitwarden, or Dashlane generate and store complex passwords, eliminating the temptation to reuse or simplify. The minor inconvenience of using a password manager pays dividends when the next major data breach occurs and your airline account remains untouched. If your airline supports security questions, treat the answers as secondary passwords rather than actual facts. The name of your first pet, your mother’s maiden name, and your elementary school are all discoverable through social media, public records, or social engineering. Instead, generate random answers using your password manager and store them alongside your password. “What city were you born in?” might have the answer “Purple7!Telescope$Rain” in your password vault. This approach neutralizes both automated attacks and call center social engineering.
Monitoring Your Miles Balance and Account Activity
Regular account monitoring catches theft early, when recovery is still possible. Log into each airline account at least monthly to verify your miles balance matches your expectations. Most airlines display recent account activity, including redemptions, partner transactions, and miles earned from flights. Any unfamiliar activity warrants immediate investigation””criminals often test accounts with small redemptions before draining the balance entirely. Set up account alerts where available. Delta, United, and several other airlines can send email or text notifications for redemptions, profile changes, or login attempts.
These alerts serve as an early warning system, potentially catching fraud in progress. However, be aware that sophisticated attackers who gain full account access often change the notification email address first, redirecting alerts to themselves. This makes periodic direct logins essential even when you have alerts enabled. Consider maintaining a separate spreadsheet or note tracking your approximate balance across all loyalty programs. This backup record proves invaluable if criminals delete your account history or if you need to demonstrate your previous balance during a fraud investigation. Include the date of each recorded balance and any major redemptions. Some travelers photograph their account dashboard monthly, creating timestamped evidence of their legitimate balance that airlines cannot dispute.
What to Do When Your Frequent Flyer Miles Are Stolen
Act immediately upon discovering missing miles””delays reduce your chances of recovery. Call the airline’s customer service line directly, using the number on their official website rather than any number in a suspicious email. Report the unauthorized redemption and request an account freeze to prevent further losses. Ask the representative to document your fraud claim with a case number, which you’ll need for follow-up. Change your password immediately after reporting, even if you’re told the account is frozen. Document everything from the moment you discover the theft. Screenshot your current account balance, transaction history, and any suspicious emails you may have received.
Note the date and time you discovered the fraud, who you spoke with at the airline, and what they told you. This documentation becomes crucial if your initial claim is denied and you need to escalate. Airlines handle thousands of fraud claims and may initially respond with form denials””persistent, well-documented appeals often succeed where first attempts fail. Airline policies on miles restoration vary significantly and lack legal guarantees. Delta has a reputation for relatively customer-friendly fraud resolution, often restoring miles for first-time victims with documented cases. United’s response depends heavily on the specific circumstances and the representative handling your case. American Airlines tends toward stricter policies but will restore miles when fraud is clearly demonstrated. However, if the airline determines the breach resulted from your own password reuse or phishing failure, they may decline restoration””framing it as your security negligence rather than their system failure.
The Legal Gray Area of Frequent Flyer Mile Ownership
Unlike money in your bank account, frequent flyer miles belong to the airline, not to you. Every major loyalty program’s terms and conditions state that miles are the property of the issuing airline, have no cash value, and can be revoked at any time for any reason. This legal structure means that when criminals steal your miles, you’re essentially asking the airline to restore their own property to your account””a request they can legally deny. Federal banking protections that limit your liability for unauthorized transactions simply don’t apply. This ownership structure creates perverse incentives for airline security investment. Banks must eat the cost of fraud they fail to prevent, motivating substantial security spending.
Airlines face no similar liability for miles theft, as they can simply decline to restore miles and suffer no financial loss””the miles were theirs anyway. Some consumer advocates have pushed for legislation treating loyalty points as consumer property, which would extend fraud protections and require airlines to meet minimum security standards. Such legislation remains hypothetical for now. In practice, most airlines restore miles to maintain customer goodwill, particularly for high-status members with long account histories. A Platinum or Executive Platinum member reporting their first instance of fraud will almost certainly receive full restoration. A basic member with a thin account history and circumstances suggesting they may have shared their password faces longer odds. This reality means your best protection remains prevention””assuming you can recover stolen miles is a gamble that may not pay off.
Understanding Airline Data Breaches and Third-Party Risks
Your airline loyalty account faces threats beyond direct attacks on your credentials. Airlines share data with numerous partners””hotels, car rental companies, credit card issuers, shopping portals””each representing a potential breach point. The 2018 Marriott data breach exposed information from 500 million guests, including linked airline loyalty numbers. Attackers with this data could target those specific airline accounts, knowing which programs victims used and having additional personal information to support social engineering. Third-party booking sites and aggregators present particular risks. When you link your frequent flyer number to Expedia, Kayak, or smaller booking platforms, you’re trusting their security with your account information. A breach at any linked service potentially compromises your airline account.
For example, Orbitz disclosed in 2018 that hackers may have accessed 880,000 payment cards along with associated travel loyalty program information. Limiting which services have your loyalty account credentials reduces your attack surface. Airlines themselves suffer breaches with alarming regularity. British Airways was fined $26 million after attackers compromised 400,000 customer accounts in 2018. Cathay Pacific disclosed a breach affecting 9.4 million passengers the same year. SITA, an IT provider serving 90% of the world’s airlines, was breached in 2021, exposing passenger data across multiple carriers. When these breaches occur, you’re typically notified weeks or months later””if at all. Assume your data has been exposed and secure your accounts accordingly, regardless of whether you’ve received a breach notification.
Emerging Protections and the Future of Loyalty Program Security
Airlines are slowly adopting stronger security measures under pressure from regulators and high-profile thefts. Biometric authentication is expanding, with Delta’s mobile app now supporting fingerprint and face recognition for account access. Some carriers are experimenting with device binding, which flags logins from unrecognized phones or computers for additional verification. These improvements remain inconsistent across the industry””what Delta offers today, Spirit may not implement for years. The credit card industry’s experience suggests that significant security improvements require either regulation or massive fraud losses that exceed the cost of prevention. The shift to chip-based credit cards in the United States only occurred after fraud losses climbed into the billions and card networks mandated the transition.
Similar pressure may eventually force airlines to treat loyalty accounts like financial accounts, with equivalent security standards. Until then, the burden of protection falls primarily on travelers themselves. Consumer awareness and demand will likely drive faster change than regulatory action. As more travelers learn that their miles can be stolen without recourse, pressure on airlines to improve security will intensify. Social media amplifies individual horror stories into reputation damage that airlines can’t ignore. The airlines most responsive to this pressure will likely gain competitive advantage among security-conscious travelers, potentially triggering an industry-wide upgrade. In the meantime, the practices outlined in this article represent your best defense against a threat that airlines have yet to adequately address.
Conclusion
Frequent flyer miles theft persists as a profitable criminal enterprise precisely because travelers underestimate the risk and airlines underinvest in prevention. The fundamental protections remain straightforward: use unique, complex passwords stored in a password manager, enable two-factor authentication wherever available, monitor your accounts monthly, and treat any email about your miles with suspicion. These practices stop the overwhelming majority of attacks, which rely on credential reuse and phishing rather than sophisticated hacking.
When prevention fails, swift action and thorough documentation give you the best chance of recovery. Report theft immediately, document everything, and be prepared to escalate if your initial claim is denied. Remember that airline reimbursement is a courtesy rather than a right””the legal protections covering your bank account don’t extend to loyalty programs. This reality makes prevention not just preferable but essential, as recovering stolen miles remains uncertain regardless of how clearly you can demonstrate fraud.