United Airlines is notifying some members of its MileagePlus program of a data security breach this week. According to the notice being sent out the attacks started on 24 December 2014 and involved “usernames and passwords obtained from a third-party source.” The email alert continues:
[The unauthorized party] were able to obtain your MileagePlus number, account balance and Premier status, but there is no indication that any other information was obtained. However, there is a possibility that other details in your account profile could be viewed, such as mailing address. Please note that if your profile includes a credit card number, all but the last four digits are masked.
Affected MileagePlus members have had access to their accounts suspended pending contact with a call-center agent who will verify certain account data and then reset the security credentials before allowing access again.
United has not named the “third-party source” of the compromised credentials. The company does state that “United was not the only company where attempts were made.”
It seems interesting to me to note that MileagePlus has announced two significant new partnerships recently: MileagePlusX and MileagePlus Dining. Both allow access to MileagePlus services using the same credentials as for accessing a MileagePlus account directly. But that access is managed through what appears to be oAuth-based authentication where the credentials are managed by United, not the partners. And at least one member with a compromised account reports that their password and PIN for MileagePlus is unique, casting some doubt on the claim that common account credentials is the issue.
Lots of questions still to be answered, but there is one thing which seems quite clear: MileagePlus data is being attacked. And that’s not good for anyone.
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.