Last week I wrote about how American Airlines contacted me to inform me that I needed to create a new AAdvantage account, after corporate security reportedly discovered unauthorized access to my account. In this post I wanted to provide an update on this situation.
In this post:
No, this wasn’t a scam…
Many OMAAT readers who commented felt strongly that this was a scam, and that it wasn’t American Airlines contacting me. I’m not sure why anyone would think that. I called back the number in the email. They just asked me to verify my social security number, and briefly took over my computer to verify my identity. My account was then restored, so obviously this wasn’t a scam.
Just kidding, of course. 😉 In all honesty, though, it was in fact American contacting me. Rather than calling the number in the email, I instead called the standard phone number for AAdvantage customer service, and they then transfered me over to the correct department. So if you find yourself in a similar situation to me, then it’s probably legit, but it always makes sense to call the number you’re familiar with, just for peace of mind.
My phone call with American Airlines
While American doesn’t let you speak directly with corporate security, they do have dedicated agents for these kinds of things. I asked the person I spoke with if it was really necessary to create a new account, or if I could just change my password and other info on file (which you’d think would be sufficient).
I was told that it was highly recommended that I create a new account, and that if I didn’t, I’d be liable for any fraud on my account. I have a sizable balance of AAdvantage miles, so that wasn’t a risk I was willing to take.
From that point, it took about 15 minutes on the phone for the agent to create a new account for me. A few things to note:
- I had to provide a new email address, and also had to come up with a new username on the spot for my new AAdvantage account
- At that point I was sent an email with my new AAdvantage number, and I could immediately log into my new account
- I was told that it would take three to five business days for my account to be fully transitioned, and until that was complete, I could keep using my old AAdvantage number for any immediate travel; I could reset the password for my old account at this point
- As it was explained to me, this transition would include transferring my miles, status, wallet funds, and also changing the AAdvantage number associated with my Admirals Club membership and co-branded credit cards
How my AAdvantage account transition went
Six days after my phone call where I created a new account, I received an email from AAdvantage confirming that my accounts had been merged. So, just how well were they merged?
- All of my miles, Loyalty Points, and systemwide upgrades transfered over correctly
- My trip credits didn’t transfer over, and this is turning out to be a huge pain, as I know I had some, but I don’t know exactly how much they were for, and AAdvantage customer service isn’t able to do a whole lot to help
- None of my flight itineraries had their AAdvantage numbers updated, so I had to call American and spend 20 minutes on the phone having them update the AAdvantage number on each reservation (since it wasn’t possible online)
- While I’m told this should have been done, only time will tell if my AAdvantage number was correctly updated for my co-branded credit cards, Bask Bank, Admirals Club membership, and Wi-Fi subscription
- I also earn AAdvantage miles through American’s partnership with Hyatt, and an OMAAT reader reports no luck having the AAdvantage number updated with World of Hyatt; My Hyatt Concierge insists that the number has been updated, so I guess we’ll see
It’s going to take me some time to remember my new AAdvantage number, given for how long I’ve been used to my old one.
A few thoughts on this process
I can appreciate that fraud is a major issue for airline loyalty programs, so it’s important for them to monitor accounts and take action to counteract this. That being said, a couple of thoughts…
First of all, it seems to me like American is going about this process in a way that doesn’t exactly instill confidence in people. If you’re going to make someone aware of account fraud, you should maybe send them an email asking them to contact the general AAdvantage customer service number, so that the member can be assured this is legitimate.
Essentially calling someone out of the blue and telling them there was fraud on their account, and then asking them to immediately create a new account with you while on the phone, doesn’t exactly seem like a best practice. Understandably many readers assumed this was a scam, because the process seems sketchy.
Second of all, I’m still not sure I understand why it’s necessary to create a new AAdvantage account, rather than just requiring a password change:
- It’s easy to figure out someone’s AAdvantage number; the full number shows on boarding passes, when you pull up an itinerary on aa.com (without logging into your account), etc.
- If someone were to hack your account online they’d need your password, so it seems like changing your password should prevent any issues online
- If someone were to try to redeem your miles by phone, they should be asked to verify personal details beyond just an AAdvantage number
Anyway, those are just my two cents…
Bottom line
I’ve just gone through the process of transitioning to a new AAdvantage account, after American corporate security allegedly discovered unauthorized access to my account. The process isn’t the end of the world, though it’s definitely mildly annoying. I guess I’ll find out for sure how annoying it is once I see if my AAdvantage info has actually transferred over correctly to co-branded credit card partners, Bask Bank, Hyatt, etc.
It seems that I’m not alone in having gone through this process, so hopefully this is a useful guide for anyone who finds themselves in a similar situation.
What do you make of this AAdvantage account transition process?
I just went through this same thing. Such a hassle. Although my Loyalty Points have not been transferred over to my new account yet, which is making me nervous, and AA has not responded to my inquiry about it.
Do you know how long it took for your Loyalty Points to show up in your new account?
Reasons why they insisted you need a new account:
Operation CookieMoster:
https://www.cbsnews.com/news/operation-cookie-monster-fbi-genesis-marketplace-identity-theft/
https://www.bbc.com/news/uk-65180488
https://arstechnica.com/tech-policy/2023/04/operation-cookie-monster-feds-seize-notorious-hacker-marketplace/
I’ve heard that a person should never give out their social security numbers over the phone. Especially if they call you.
Ben sorry you had to go through this and still have a good attitude about it. I don’t understand how someone can try to access your account. They used a laptop and not a phone. I think American owes you more of a detailed explanation. That is unacceptable for the money you spend with them and how you can’t speak to their security. And happy Passover.
I am not surprised— I’m now in dispute with (not w/an airline) but with Hyatt who says after a ‘computer glitch’ my points were never deducted for an award stay. I am vigilant about checking deductions and balances remaining after I book a propert, but nevertheless after three months of the stay in question they deducted more points from my account without any warning. From now on I’m going to take screenshots of everything because...
I am not surprised— I’m now in dispute with (not w/an airline) but with Hyatt who says after a ‘computer glitch’ my points were never deducted for an award stay. I am vigilant about checking deductions and balances remaining after I book a propert, but nevertheless after three months of the stay in question they deducted more points from my account without any warning. From now on I’m going to take screenshots of everything because I think as time goes by it’s important to be able to challenge any discrepancies where airlines/hotels claim you owe them points, etc., and once they are deducted from your account, there’s not much you can say or do! I’m ready to give up with this point game — Help!
I agree it makes no sense that AA doesn't offer the option of two factor authentication. Marriott had a breach and wanted me to change my account number which I was extremely reluctant to do not only because I have it memorized but because it's a very low number and between that and my being Titanium desk agents take notice. Similarly I'd really be bummed to have to change me AA number which is 8...
I agree it makes no sense that AA doesn't offer the option of two factor authentication. Marriott had a breach and wanted me to change my account number which I was extremely reluctant to do not only because I have it memorized but because it's a very low number and between that and my being Titanium desk agents take notice. Similarly I'd really be bummed to have to change me AA number which is 8 digits starting with the number "4" due to my signing up a few weeks after AAdvantage started.
AA may not have multifactor authentication but you need both the number and last name to log in which is more security than many banking sites. That wouldn't make a difference in Ben's case but for most everyone else the name is an extra layer of security.
As for wanting to keep your existing number solely for recognition purposes, even after a breach, that's the type of thinking that keeps cyber criminals in business.
I had a similar experience with AA except I found out from an AA email advising me miles were deducted from my account for an upgrade from Santiago to Miami. When I called AA I went through the same procedure to establish a new account. One difference I had to file a police report and submit it to AA before they would replace my miles. It also took quite a while for my Platinum status...
I had a similar experience with AA except I found out from an AA email advising me miles were deducted from my account for an upgrade from Santiago to Miami. When I called AA I went through the same procedure to establish a new account. One difference I had to file a police report and submit it to AA before they would replace my miles. It also took quite a while for my Platinum status to be shown in my new account. When I called I was told that my Admirals Club membership had to be updated before status and the remainder of my miles could be moved to the new account.
It all got resolved pretty quick except when I got a Business Extra account statement later in the year I could not log into my account. When I called and described the account change I was told to send an email to Business Extra requesting my AA account t number change. That took a few days and everything was fine.
AA is on the cusp of bankruptcy. I don't think they'll be spending money investing in 2FA.
"Essentially calling someone out of the blue and telling them there was fraud on their account, and then asking them to immediately create a new account with you while on the phone, doesn’t exactly seem like a best practice."
Someone at AA must have noticed your status or is familiar with your blog, or both, and probably thought calling you right away would offer a valued customer the best service. Unfortunately they didn't take into...
"Essentially calling someone out of the blue and telling them there was fraud on their account, and then asking them to immediately create a new account with you while on the phone, doesn’t exactly seem like a best practice."
Someone at AA must have noticed your status or is familiar with your blog, or both, and probably thought calling you right away would offer a valued customer the best service. Unfortunately they didn't take into account that a call out of the blue would be viewed with suspicion.
"If someone were to hack your account online they’d need your password, so it seems like changing your password should prevent any issues online."
A hacker cannot guess your password if they don't know the other login credentials. That's why AA asked you for a different email address for the new account. It's up to you to keep your new number safe even if it's printed on boarding passes and checked bags.
One would think that by now all of our accounts would require a 2 step log in or least a message alert. Yet that is not the case. It just doesn't make sense.
It's funny how ingrained some of our frequent traveller credential are. I still know my old UA MP # (00113...), and my current AA, DL, AF, SQ, and Hilton #s.
For some reason I just can't remember my "new" UA number. Probably because I don't fly them much anymore, even though DC is home/a hub.
Is IAD really a hub for anyone? I feel like its one of those airports where airlines just kinda...exist. Or unless you meant DCA, which I feel is more AA based, even tough UA has a club there.
No ability to set up 2FA is a major risk with AA. The new account can be just as easily hacked again.
My AA account was hacked, miles used, and AA made it extremely difficult to get the miles back. They required a full police report to reinstate the stolen miles, and it's impossible to get it in time in Canada.
Maybe they use a similar approach like my company does: once an account is flagged for fraud, it cannot be whitelisted again.
My guess is requirement to create new account comes from AA knowing that whoever broken into your current one has enough information to change associated email and reset your password.
Not an active AA flyer so not sure what it takes to update email associated with the account? Perhaps just phone number and current password?
They still need some better security checks, but conversely they still make it easy enough to help friends and family.
"I was told that it would take three to five business days for my account to be fully transitioned, and until that was complete, I could keep using my old AAdvantage number for any immediate travel; I could reset the password for my old account at this point"
LOL. Then what is the point of setting up the new number if the old one is deemed viable enough to use in the interim? Another example...
"I was told that it would take three to five business days for my account to be fully transitioned, and until that was complete, I could keep using my old AAdvantage number for any immediate travel; I could reset the password for my old account at this point"
LOL. Then what is the point of setting up the new number if the old one is deemed viable enough to use in the interim? Another example of security theater. Sorry you had to jump through these hoops and I hope everything gets transitioned over soon enough.
The thing that makes me nervous about AA/AAdvantage is the kiosks at the airport that allow you to access your reservation just by typing in the AAdvantage number. If you dropped your boarding pass or someone saw your AAdvantage number, then all they'd need to do is walk up to a kiosk and type it in, and then they could make changes to your reservation. There's no profit incentive to do that, but someone could...
The thing that makes me nervous about AA/AAdvantage is the kiosks at the airport that allow you to access your reservation just by typing in the AAdvantage number. If you dropped your boarding pass or someone saw your AAdvantage number, then all they'd need to do is walk up to a kiosk and type it in, and then they could make changes to your reservation. There's no profit incentive to do that, but someone could do it just to be mean (whether it be to a stranger or someone they hold a grudge against). Am I mistaken about any of that?
AA, and all airlines should punish the perpetrator not the account holder.
If I was AA, I would collaborate with the account owner, build a 1 stop itinerary, dump them on the connection and ban them for life.
Have a stern warning, only purchase your ticket from a reliable source or run the risk of lifetime ban.
Another issue I encountered when creating a new AA account after fraudulent use was that the old account is linked to my Hyatt account. The AA and Hyatt agents both tell me that they see the new number updated, but I’m not getting the reciprocal earnings
I had to do this with Hilton when someone made a false booking on my account. I was lucky I checked my email because they had made it for that evening in the UK. Everything was fully refunded, but it's a hassle having a new ID number.