Loyalty Programs Under Siege: Hackers Target Airline Miles as Travelers Lose Control of Their Rewards
Travelers holding onto airline and hotel loyalty points face a growing threat that most have not fully considered: their rewards accounts are increasingly becoming targets for hackers. Recent incidents and security research show that loyalty points, once treated as secondary by fraud teams, now carry real monetary value that criminals are actively exploiting.
Stolen Miles, Real Consequences
Linda Roth, an experienced traveler who has visited all seven continents, discovered that nearly 200,000 American Airlines AAdvantage miles had been drained from her account over a single weekend. The stolen miles were quickly converted to gift cards by the hacker.
“I was just crushed. It’s a violation. It’s a theft. And I did shed a few tears. I did cry,” Roth told reporters.
The problem extended beyond the initial theft. Roth struggled to reach American’s fraud department, which does not operate on weekends. When she finally got through on Monday, the response was stark: “There was nothing we can do. And our policy is that we cannot reinstate your miles.”
After more than an hour on hold and a formal police report, Roth’s miles were eventually restored. She plans to use them for a trip to Australia, a destination American serves directly.
Clint Henderson, a representative from The Points Guy, experienced a similar breach. Hackers drained his American Airlines account and used his miles to book rental cars in New York City. American Airlines valued the stolen 449,500 miles at approximately $13,260.
“These things do have value,” Henderson noted, underscoring that loyalty points represent real financial assets.
How Hackers Target Loyalty Accounts
Security researchers indicate that criminals routinely scan dark web marketplaces for breached usernames and passwords. They then test those credentials against loyalty accounts, which often lack the multi-layered defenses found on primary financial accounts.
One tactical advantage hackers exploit is timing. “They’ll steal your stuff on the weekend when there’s no way to report it,” Roth explained. This leaves a gap of roughly 48 hours where points can be converted and spent before the account holder can alert the airline.
American Airlines told news outlets that its fraud department operates Monday through Friday, though customer service agents are available around the clock to lock accounts if fraud is reported.
Industry Response and Traveler Protection
American Airlines stated that when it identifies unauthorized activity, it acts quickly to secure the account and work directly with customers to resolve issues. The airline recommends using strong, unique passwords and enabling multifactor authentication on email accounts linked to loyalty programs.
Critics argue that fraud departments at major airlines remain too limited in their operating hours. “I don’t think in this day and age you can have your fraud department only open business hours Monday through Friday. I think that doesn’t work anymore,” Henderson said.
Both Roth and Henderson admitted they had been using older passwords created before multifactor authentication became widely available, a common oversight that leaves accounts more vulnerable.
What Travel Merchants and Operators Should Know
For businesses in the travel industry, loyalty program security is becoming a reputational and operational issue. Travelers who feel their rewards are not adequately protected may shift their loyalty to competitors offering stronger security measures or clearer recovery policies.
The Barclays 2026 Travel Rewards and Loyalty Report found that 71% of U.S. travelers are focused on affordability, and 55% seek predictability in their travel spending. Trust in a loyalty program directly affects whether customers engage with it at all.
Operators running loyalty schemes should review their fraud response capabilities, including weekend coverage and recovery timelines. Those serving high-value point balances may want to consider automated monitoring for unusual redemption patterns.
Travelers themselves can take immediate steps: audit loyalty account passwords, enable multi-factor authentication where available, and avoid using the same credentials across multiple services. As points balances grow and cybercriminals become more sophisticated, the risk will only increase.
The bottom line for travel merchants is clear: loyalty program fraud is not a niche issue. It is a rising threat that affects customer trust, operational costs, and brand reputation. Getting ahead of it now is simply good business.
