Members of British Airways Executive Club are reporting that their accounts appear to have been hacked, and emptied of their Avios reward points.
An email sent to some British Airways Executive Club members shed some light on the mystery, explaining that the airline has spotted “unauthorised activity” on the account, and consequently reset passwords.
Here is a typical email that users have been receiving:
Part of the email reads:
British Airways has become aware of some unauthorised activity in relation to your Executive Club account.
This appears to have been the result of a third part using information obtained elsewhere on the internet, via an automated process, to gain access to your Executive Club account.
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.
We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.
So, it appears that British Airways is claiming that Executive Club accounts were accessed because members were using the same password for their BA Executive Club account as they were on another service.
From the sound of things, the attackers managed to get hold of a database of usernames and passwords and then threw it at the British Airways Executive Club website to see if they would also unlock accounts there.
As I’ve said many times before, you should never use the same password for multiple websites.
There is some speculation online that British Airways may have proactively zeroed Avios points from users’ accounts to prevent them from falling into the hands of unauthorised parties. However, I have found no official confirmation of this.
Judging by messages in discussion forums, it’s clear that some Executive Club members are less than amused by the sudden disappearance of their Avios points:
In other posts, users describe how criminals appear to have used their Avios points for fraudulent purposes.
If you have any concerns, my recommendation would be to contact BA’s customer service team (who are probably quite busy right now) and change your British Airways Executive Club password.
But, please, don’t use the link that the BA email includes in its warning message. They should never have included a clickable link when they invited you to reset your password, as that’s a classic trick used by criminals phishing for login credentials.