I need a new American AAdvantage account, and I’m kind of confused…
In this post:
Corporate security locked my AAdvantage account
Yesterday afternoon I received a phone call from American AAdvantage customer service. The agent stated that American corporate security had identified fraud in my AAdvantage account. You don’t usually want to hear “corporate security” and “fraud” in the same sentence, but I know that I’ve done nothing to violate the terms of AAdvantage, so I assumed the issue wasn’t with me.
She explained that I needed to create a new AAdvantage account. I was confused, naturally. I check my AAdvantage account daily, and hadn’t received any suspicious emails, or noticed anything unusual. I asked if I could just change my password, or if I really needed a new account, and the agent said a new account number was necessary, and that I should also use a new email address if possible. I asked if this was triggered by something specific, and she indicated that corporate security doesn’t give reasons, but that they had identified something.
She asked if I had 15 minutes to set up a new account. I said no, partly because I wanted to make sure that the phone call was legitimate, given that I’d presumably have to provide all kinds of personal details. She offered to send me an email, so that I can call back at any time. That email had the subject line “Please Contact Us to Secure Your Account,” and did indeed come from an American Airlines email address. It read as follows:
Please contact AAdvantage Customer Service regarding the unauthorized access to your AAdvantage account. American Airlines takes claims of identity theft very seriously, and we investigate each matter thoroughly to ensure no AAdvantage policies were violated.
We will need to speak with you in order to secure your account and file an award dispute. Please contact us at your earliest convenience by calling XXX-XXX-XXXX, Monday through Friday, 8:00 am to 7:00 pm CST, to complete this process. This process will take approximately 15-30 minutes. We will need to complete this process within 3 months of the date of the unauthorized redemption. We look forward to assisting you with this matter.
Furthermore, at this point I tried to log into my AAdvantage account, and noticed that it was locked.
I’m confused by what triggered this?
There’s quite a bit of fraud with both airline and hotel loyalty programs, whereby people manage to steal points and make redemptions. So it makes sense for airlines to manage this proactively, to minimize the loss associated with these activities. What I find strange here is that I didn’t notice anything suspicious:
- I didn’t receive any emails about information on my AAdvantage account being updated, or about an itinerary I didn’t book
- As recently as a few hours before I got this call from American, all my miles were still in my account
That leads me to believe that someone wasn’t actually successful with what they were trying to do?
I’m also confused by the need to create a new AAdvantage account? Couldn’t I just change my account password, or was someone attempting to steal my miles by making a booking by phone? I’m only hesitant to do this because I’ve had my AAdvantage number committed to memory for 15+ years, and I don’t love the prospect of having to remember a new one. You might as well give me a new Social Security Number, while you’re at it!
I’m sure American knows something that I don’t, but I’m curious if anyone else has dealt with something similar, and knows what could have triggered this, given the lack of obvious signs?
Over the years I’ve had my fair share of “unauthorized” access to my travel reservations, in the form of people trying to change my flights or hotel reservations (I’m not sure I understand why someone cares enough about me to do that, but…).
I do think airlines and hotels should do a better job “protecting” reservations, since it’s easy enough to figure out a confirmation code by calling, and with that information you can make quite a few changes. But I suspect that’s unrelated to this issue.
Bottom line
Apparently I need a new American AAdvantage account number, as corporate security has decided that there was unauthorized access and/or fraud on my account. I have to set up a new account by phone, and I’m guessing it will take me years to not just naturally rattle off my old AAdvantage number when it’s needed.
While I know that unauthorized access to frequent flyer accounts is common, I find this to be a rather unusual situation, given the lack of any signs.
Has anyone dealt with something similar from AAdvantage?
I received an email at 6am EST , congratulating me on booking award travel. Someone booked a 55,000 business class trip from ABJ to CMN (cote d iviore – morocco).
Called AA, waiting for the “security department” to call me back. Agent blocked my account and I can’t login now. Bummer that I am due to receive a 60,000 AA bonus miles promo any day now.
A similar situation just happened to me. Someone logged into my Advantage account, changed my email, and stole 35,000 miles to book two tickets from Dallas to Indianapolis. I live in D.C.
When I called American, they locked my account and had me go through the process to create a new account. The catch is they won't return the $1000 worth of reward miles unless I provide them with a police report listing the names...
A similar situation just happened to me. Someone logged into my Advantage account, changed my email, and stole 35,000 miles to book two tickets from Dallas to Indianapolis. I live in D.C.
When I called American, they locked my account and had me go through the process to create a new account. The catch is they won't return the $1000 worth of reward miles unless I provide them with a police report listing the names of the passengers who used my miles (which American obviously knows, since they allowed the purchase).
I then provided a police report, but American didn't read it - they continue to delay helping me saying they need more information from me about the incident (all of which is actually on the report I sent). I have since been on hold for several hours waiting on an American Airlines representative to answer the phone, only to transfer me to someone else who can't help.
This just happened to me, but not by way of a phone call. I was trying to log into my Aadvantage account and could not get in. So I tried resetting my password, and it showed an unfamiliar email address (it only showed a portion of the email address, but it had unfamiliar letters and digits). Also, my security questions were different. Then I called Aadvantage and they asked me to verify the address. The...
This just happened to me, but not by way of a phone call. I was trying to log into my Aadvantage account and could not get in. So I tried resetting my password, and it showed an unfamiliar email address (it only showed a portion of the email address, but it had unfamiliar letters and digits). Also, my security questions were different. Then I called Aadvantage and they asked me to verify the address. The address I gave them didn't match the one they had on file (they couldn't tell me what it was, but apparently it didn't match). Then they told me they couldn't do anything to help me, which was alarming. I persuaded the rep to look into it further and he put me on hold. I then searched my emails to see what else may have come in that I missed. And that's when I realized that American locked my account due to unspecified activity. And then I noticed that someone used miles to book a flight and a seat, as well as resetting my password. I have no idea how this person got the token in my email address to change the account unless he hacked my email. So now I have to call the fraud unit on Monday to find out how I get the miles back and resecure my account. I'll probably have to get a new FF number, which is irritating because I've had the same one for about 30 years.
Received 3 emails from AA that 200,000 miles stolen by three from Africa in July, 2023; contacted immediately to cancel flights booked using my miles. Filed the required police report but have yet to get confirmation that miles will be returned. Very frustrated as numerous emails not responded to.
I received the same email and instead of clicking anything I opened the app and found it was locked. I had to call the customer service line which did confirm that my email and other information had been changed and all my points redeemed last month. After the 15 minutes of talking with the security department, I did get a new account and had to file a police report...
I never call the number provided in an email like this. I had phone calls from one of my Charge Card accounts asking about possible unauthorized charges....the number on my phone was labeled on my phone with the name of the right company. I told them I would be calling to verify and they said yes, call this number back. I did not. I got out my Charge Card and called the number on it....
I never call the number provided in an email like this. I had phone calls from one of my Charge Card accounts asking about possible unauthorized charges....the number on my phone was labeled on my phone with the name of the right company. I told them I would be calling to verify and they said yes, call this number back. I did not. I got out my Charge Card and called the number on it. Sure enough, the call had not been from the Credit Card Company. The last record that they had of reaching out to me was 6 months earlier. They can spoof phone numbers. They can spoof email addresses. ALWAYS contact the company directly using the number the company has provided on your Charge Card, Your Customer Loyalty account etc.
I had similar issue. I had my Aadv. acct since 1989 a d reluctant to change as I knew that by heart. I changed my acct. all has been well.
I had a similar response from AA a few years back. Someone had tried to buy an award ticket using my miles from Pakistan. It was caught and the transaction was voided. AA demanded I change my email address attached to my account. As I only have 1 email, I could not. AA froze my account AND also didn't return the ~154k miles that were tied up in fraud. I switched to United and have not had a problem since.
Call the number on the back of your card or on your statement. That way you know who you’re talking to. Never respond to an email text message or phone call.
Any updates?
Excellent question.
I don't understand why they can't tell you what the triggering issue was. That is very frustrating
Scam alert. Likely locked out of your account because too many wrong attempts to guess password. Email address likely spoofed. I would trust it only if you call direct using the phone numbers on AA website NOT the email
Maybe you were WiFi hacked in your travels - foreign at a hotel or even WiFi on the plane. And someone got hold of your AA information and login and did a redemption.
AA sends out an email a few minutes after a reward redemption - did you get an authorized redemption email?
Same thing happened to me a cpl months ago. Phone call saying my acct was compromised. Had to create a new acct and all my previous reservations under the old number had to be ported over. Took a while to get my miles xferred over. And now resaved my new AA number to all my travel site profiles.
I found out a year later someone did steal all my points (This was covid) didn't travel much didn't check. They just had me change my password and credited my points. This is. Hotel loyalty.. IHG to be precise. This happened in Dec 2022
That sounds very possible. I had an email over a year ago saying my account was compromised and it became locked. I didn't action it for months because I'm outside the US. About 4 or 5 months ago I wanted to use my miles to book a flight but realized it was still locked. I contacted American and was told similar things as you mentioned in this article. She said I would have to create...
That sounds very possible. I had an email over a year ago saying my account was compromised and it became locked. I didn't action it for months because I'm outside the US. About 4 or 5 months ago I wanted to use my miles to book a flight but realized it was still locked. I contacted American and was told similar things as you mentioned in this article. She said I would have to create a new account with new number and wanted me to use a new email address as well. I went through it all, the process was fairly quick and they merged everything from my old account. So everything is there, just a new email and new number. The slow process for me was my miles had just expired but I flew on a partner airline month before they expired so they were able to recover my miles. But it took them a couple of months to verify everything with the partner airline.
Happened to me also. Someone accesses my AA account and redeemed miles for a flight in Asia. AA required creating a new account and transferring info over, but only reinstated the stolen miles after I provided a full police report. It's a pain to obtain a full police report in Canada, a Privacy Act request has to be filed, and then wait months to get the full police report in the mail. Police in Canada...
Happened to me also. Someone accesses my AA account and redeemed miles for a flight in Asia. AA required creating a new account and transferring info over, but only reinstated the stolen miles after I provided a full police report. It's a pain to obtain a full police report in Canada, a Privacy Act request has to be filed, and then wait months to get the full police report in the mail. Police in Canada do not give out police reports, just the file number. AA refused to reinstate the stolen miles with just a police case number.
While there is a real possibility that phishing on a convoluted level is happening, a call by you to AA might set your mind at ease.
The fact your account appears to be suspended might give some authenticity to this issue, and that's something a call from you might throw some light on what's happening.
If this all turns out to be legit, I would find it appalling that AA were not more transparent from the start. Poor Customer Service.
This literally just happened to me. Had to open a new account my phone. so far all my miles were transferred, and they said that my status and booked flights should transfer by tomorrow.
forgot to ask about loyalty points collected to data. kinda annoyed by this situation.
Never trust emails of it even slightly makes your spidey sense tingle. The address might look legit but it's not. I'm sure many of you have recently received "final warning on your coinbase account" email. It looks pretty good, the domain is indeed coinbase but you really need to know what to look for to see it's a fake and I don't expect 99.99999% of people to know where to look even if they are...
Never trust emails of it even slightly makes your spidey sense tingle. The address might look legit but it's not. I'm sure many of you have recently received "final warning on your coinbase account" email. It looks pretty good, the domain is indeed coinbase but you really need to know what to look for to see it's a fake and I don't expect 99.99999% of people to know where to look even if they are your neighbors IT programmer son. I once got a call like this and I have them the run around with fake info for 15 minutes. It was a fun afternoon.
As an IT consultant who deals with many corporate databases, I suspect that AA may have two Award Systems that are linked. The legacy system contains FF numbers (like mine) issued many years ago. That system may be based on an older technology that is more difficult to secure and update. I also suspect that system was hacked.
Since then, I'm guessing AA has implemented a new Awards system based on improved technology and...
As an IT consultant who deals with many corporate databases, I suspect that AA may have two Award Systems that are linked. The legacy system contains FF numbers (like mine) issued many years ago. That system may be based on an older technology that is more difficult to secure and update. I also suspect that system was hacked.
Since then, I'm guessing AA has implemented a new Awards system based on improved technology and much better security. So AA may be asking you to create a new account because it will be generated within that new system. Eventually, they hope to eliminate that legacy system.
Of course, this is all speculation, but I've seen this scenario happen before.
@Ehud Gavron 100%
This is how the phishermen go about their lowly craft. I have 20 years + in infosec. This reeks of a spear phishing attempt. I read down the comments a bit and it damn near broke my heart. Please, all, get this one done. Do not click on links in inbound emails. Do not take calls from "customer service". Do call the number on your exec plat card and ask for the...
@Ehud Gavron 100%
This is how the phishermen go about their lowly craft. I have 20 years + in infosec. This reeks of a spear phishing attempt. I read down the comments a bit and it damn near broke my heart. Please, all, get this one done. Do not click on links in inbound emails. Do not take calls from "customer service". Do call the number on your exec plat card and ask for the security people. When in doubt (all the time BTW) hang up and call back. I can think of no valid reason to require a new AA account. None, other than stealing all your points.
I had an issue with Southwest over the summer. I had gotten an email that my account had changes but didnt see it for a few hours and when I finally looked at the email, I went to Southwest and couldn't login. I finally was able to get logged in by calling Southwest and the agent and I discovered that my account was hacked. They had almost wiped my 100K Rapid Rewards and went shopping,...
I had an issue with Southwest over the summer. I had gotten an email that my account had changes but didnt see it for a few hours and when I finally looked at the email, I went to Southwest and couldn't login. I finally was able to get logged in by calling Southwest and the agent and I discovered that my account was hacked. They had almost wiped my 100K Rapid Rewards and went shopping, not even travel related...(I would buy a flight, just saying!) and they had to lock down my account - the hacker changed address and email address on the account. We had to get Southwest security or customer relations involved and it took I think about 4-6 weeks until I could use my account again. I had to redo password but my number stayed the same. It was a big hassle as I couldn't purchase flights on my account either. Good Luck! And I agree always call the numbers that you know not from an email as the email information can be scam.
Others have spoken to this phishing attempt. Clearly it is.
Others have said call your Advantage Prem desk directly at its usually listed number -- NOT anything in the email you received. EVEN IF that email had the right number, likely there was a link to quickly do it all online and THAT is where they get your info.
AAL doesn't need to change your acct number, as the real AAL will happily tell...
Others have spoken to this phishing attempt. Clearly it is.
Others have said call your Advantage Prem desk directly at its usually listed number -- NOT anything in the email you received. EVEN IF that email had the right number, likely there was a link to quickly do it all online and THAT is where they get your info.
AAL doesn't need to change your acct number, as the real AAL will happily tell you. You can always explain "I"d like to keep my number as it is embossed on my luggage tags and branded on my Saddelbag Leather Co saddlebag luggage.
The phishermen are getting creative. The rule of thumb has always been: hang up. Delete the email. Call a known-good number and work it out. Give nothing without getting something. For example when asked for my last trip date I say "Tell me the first half of the PNR and I'll tell you the rest" or "What's your credit card number?" Give them the first real 12 digits and a fake last four. The real AAL will test it instantly. A fraudster won't.
Finally, I haven't see others say this but in the INFOSec world we say: "If you're not 100% happy with the conversations or the questions, HANG UP and call back in, and say you were disconnected and can the rep look up the previous call." Fraudsters don't yet use CRM backends to track their fraud. They will one day.
No, this was real, not phishing. Plenty of data points here (including my own) where AA assigned a new number using this exact process. In my case, I received an inbound call where I didn't have to provide anything other than a new email address (for which I gave a unique one), and the flurry of emails followed from AA with all of my personal information pre-filled. I just had to set a password.
Spidey...
No, this was real, not phishing. Plenty of data points here (including my own) where AA assigned a new number using this exact process. In my case, I received an inbound call where I didn't have to provide anything other than a new email address (for which I gave a unique one), and the flurry of emails followed from AA with all of my personal information pre-filled. I just had to set a password.
Spidey senses tingling the whole way, since this is not anywhere near the proper way to handle things from a security perspective, but it's what AA does.
This kinda happened to me last week. Only difference is I had to call AA customer service after receiving an email at 3:30 AM confirming an award redemption. Someone hacked my account and booked a flight from LHR-BOS-JFK using 218,500 miles. By the time I called the passenger was on the flight to BOS but they were able to cancel their ticket from BOS-JFK. Later in the day, corporate security called me to create a...
This kinda happened to me last week. Only difference is I had to call AA customer service after receiving an email at 3:30 AM confirming an award redemption. Someone hacked my account and booked a flight from LHR-BOS-JFK using 218,500 miles. By the time I called the passenger was on the flight to BOS but they were able to cancel their ticket from BOS-JFK. Later in the day, corporate security called me to create a new account. I pushed back a little bit since I also had all my info memorized, but they insisted. All my remaking miles and status transferred within 24 hrs. They required me to file an identity theft report with local police. I won’t get my miles back until they get the report.
This should be traceable right because they would have had to show their passport to get on the plane?
Same thing. I now I’m not a member of American. Happy.
My aunt's account was locked one time. When we called, Corporate Security asked for time to investigate. When they called back, they pieced together the events. My aunt booked an award flight. Since she didn't have enough miles, I purchased a few hundred miles for her. Some weeks later while reviewing credit card statement, I saw an unfamiliar AA charge. I contested with my card issuer and was successful in getting it removed. But it...
My aunt's account was locked one time. When we called, Corporate Security asked for time to investigate. When they called back, they pieced together the events. My aunt booked an award flight. Since she didn't have enough miles, I purchased a few hundred miles for her. Some weeks later while reviewing credit card statement, I saw an unfamiliar AA charge. I contested with my card issuer and was successful in getting it removed. But it was actually me purchasing the miles! Needless to say, my aunt's award was cancelled and she had to create a new AA account because AA suspected fraud. She got the miles back though.
I haven't had an issue with American, but I decided to switch over to Alaska's Mileage Plan two years ago, and had a much *worse* problem occur – one for which I received literally zero info from the airline. Someone hacked into my account & used 160,000 miles to purchase two one-way tickets on Qatar Airways between Doha & somewhere in Australia, of all places.
The "worse" part is that Alaska didn't notify me when...
I haven't had an issue with American, but I decided to switch over to Alaska's Mileage Plan two years ago, and had a much *worse* problem occur – one for which I received literally zero info from the airline. Someone hacked into my account & used 160,000 miles to purchase two one-way tickets on Qatar Airways between Doha & somewhere in Australia, of all places.
The "worse" part is that Alaska didn't notify me when the hacker changed my account's primary email address to obfuscate their actions. It was a total coincidence that I happened to log onto my account the following day, only to discover the missing miles.
I called the airline's help desk immediately, of course, and the news I heard was grim. I already knew I was the victim of a serious hack either in 2020 or 2021 – someone opened up a Walmart+ account in my name, and used it to purchase a top-of-the-line iPad Pro - using ALL of the info off of one of my credit cards, down to the CVC number. Alaska's rep told me that they'd had numerous reports of similar incidents, and that it almost certainly means the bulk of my personal info is circulating on the dark web.
Worse still, they said that even changing my password OR my Mileage Plan account number likely wouldn't work – and also made a point of noting that while they reimburse you for stolen miles, they only do it once. The ONLY option to fully prevent such an occurrence was, according to them, cutting off ALL online access for purposes of using my Alaska miles. Nowadays I have to call them each time I want to redeem them for a ticket – and yes, that's a massive PITA.
To this day I'm unclear why on *earth* I didn't get an instant email notification that someone changed my master email address on Mileage Plan. They changed it; booked the Qatar ticket; and then changed it back to its original email afterwards. That said, I still have a considerable number of miles on my AAdvantage and SkyMiles accounts (many more than on AS) – and I've had the latter for 20+ years, versus under two for AS (and 12 years w/AA). I'm guessing these dark web hackers figured out a hole in Alaska's authentication protocols, namely the fact that it doesn't notify accountholders if anyone makes a change to their personal info.
The same thing happened to me the other day. Its like you wrote up exactly what happened to me. They could not tell me what triggered it and said that if I didn't open a new account and transfer my miles to the new one they wouldn't be held liable if someone drained my old account. Not only is it a pain to set up but I'm assuming I'll have to notify Citi, and Barclays...
The same thing happened to me the other day. Its like you wrote up exactly what happened to me. They could not tell me what triggered it and said that if I didn't open a new account and transfer my miles to the new one they wouldn't be held liable if someone drained my old account. Not only is it a pain to set up but I'm assuming I'll have to notify Citi, and Barclays as well as change over all the other linked accounts. I'm delaying doing this as its going to be a nightmare.
The new account is "merged" via an established batch process, just as if your US and AA accounts needed to be merged, so there's a backend process for the issuers (or at least Citi) to be notified about the change. Mine happened seamlessly.
Yes. I have had similar issues. I use my AA account to book flights for work, and apparently my flights were canceled and rebooked without my consent. It has only happened twice, but this was an odd thing to happen.
Had to create a new account when Jetblue account was hacked
This happened to me last week as well. As I've seen in other comments, based on the timing it seems like there could have been a large data breach at AA. The person booked 2 flights even though I caught it while they were in the air for the first flight and let American know immediately. They're now making me file an identity theft report with my police department before they will give me my points back.
This is why it’s frustrating that AA won’t share info with AwardWallet, I like seeing balance changes across accounts all at one time
@Ben I contacted AA via twitter and they agree that this sounds like a possible phishing attempt. They recommend calling them directly:
"We always want customer accounts to remain safe and secure. It's best to always call American directly via the numbers you're familiar with, and not click links or provide info from a questionable source. Any possible phishing can be reported to our team of investigators here: http://bit.ly/AA_Phishing"
I’ve had my account number changed at least twice in the past with new passwords required but never a new email address. That part seems a bit suspicious.
Someone accessed my account to book a first class ticket from MSP to PVD via ORD. I called AAdavtage and they were less that helpful and just told me “Someone from our fraud department will be in touch with you.” I took matter into my own hands and cancelled the reservation while the person was on the ground at ORD. AAdvantage were very slow to reach out to me but did eventually refund the points once I provided a police report.
That's this former cop's dream ID theft case...I'd have been so freakin thrilled to have been able to simply wait at the gate for someone to board or deplane and then arrest them for fraud and ID theft. Best thing is, it's instantly a federal court case because it's almost guaranteed to be either an interstate or international crime.
this happened to me just last week, so it could be broader AA data breach. Could you please follow up with AA and report to us? My miles were taken, but they did not change my data at all (like password etc). Usually hackers would change the password and steal identity information, which is more valuable for them in the long run, but this was very different. Miles just gone but AA doesn't know how...
this happened to me just last week, so it could be broader AA data breach. Could you please follow up with AA and report to us? My miles were taken, but they did not change my data at all (like password etc). Usually hackers would change the password and steal identity information, which is more valuable for them in the long run, but this was very different. Miles just gone but AA doesn't know how and they don't tell me any details. I wanted to know if my account was the only one affected (so that I can take precautions for other accounts that I use the same email) but it seems like your account is and other comments indicate it seems like a broad issue just happened recently. Now they are asking me to have a police report within one month, which is quite hard for me on the road for more than a month...
This is a scam. Also be aware of getting a two-factor authentication text you didn’t initiate yourself. Never put in the code if this happens. You will give someone access to something
Happened to me as well, but there was at least fraudulent activity on my account that made sense as the impetus for the forced change. Whole process was very strange -- had to use a new email address, new security questions, etc, and my existing reservations were not updated with my new number. Happened in the middle of the trip so had to scramble to make sure everything was good by the time I got...
Happened to me as well, but there was at least fraudulent activity on my account that made sense as the impetus for the forced change. Whole process was very strange -- had to use a new email address, new security questions, etc, and my existing reservations were not updated with my new number. Happened in the middle of the trip so had to scramble to make sure everything was good by the time I got to the airport for my return flight.
I was using the same password for my AA account as I do for some of my hotel accounts.
Had the same happen to me a couple years back. It was linked to the massive Marriott breach since my Marriott account was linked to AA. Took 30 mins to get a new AA number and had all my miles and status transferred overnight.
This happened to me as well to thousands of others as i found out while discussing it with an agent. Account numbers stolen and mine was part of that group. Never had anybody use my miles. After i repeatedly kept stating i didnt want to change my account number, agent finally gave in speaking from her pre-worded statements. Just had to reply to an email and i only had to create a new stronger password. Which i now forgot.
Last month, my AAdvantage account was accessed fraudulently and the hacker used my miles to book a next-day flight within India. I received an email about the redemption and called AA immediately to report the incident.
AA required the creation of an entirely new AAdvantage account and stated that my information would be transferred over in a few days. I also had to file a police report if I wanted to get my miles...
Last month, my AAdvantage account was accessed fraudulently and the hacker used my miles to book a next-day flight within India. I received an email about the redemption and called AA immediately to report the incident.
AA required the creation of an entirely new AAdvantage account and stated that my information would be transferred over in a few days. I also had to file a police report if I wanted to get my miles reinstated. AA sent me an email with the specific wording required for this. While annoying, the process was relatively straightforward and I received my miles back (into my new account) 2 days after submitting the police report to AA.
What's odd is if you canceled the reservation before they flew, it should have automatically refunded you your miles.
I've never had AA miles reinstated from award cancellation until I ask, so now I ask right away.
I had the same thought. In my case, I had to ask AA to do it for me, since the award redemption emails don't have the PNR on them, and as part of that disclosed.the security breach. I was told I'd have to contact corporate security to get them redeposited.
This happened to my spouse about a year ago. Someone managed to guess his (admittedly weak) password, probably through internet scraping, and bought about a dozen tickets for different people to fly between India and various cities in the middle east. it all happened in a day's time or so and we weren't in a position to be closely looking at emails. about maybe 150,000 miles cleaned out.
However, in addition to following this procedure...
This happened to my spouse about a year ago. Someone managed to guess his (admittedly weak) password, probably through internet scraping, and bought about a dozen tickets for different people to fly between India and various cities in the middle east. it all happened in a day's time or so and we weren't in a position to be closely looking at emails. about maybe 150,000 miles cleaned out.
However, in addition to following this procedure identically as described in this post, AA provided specific wording on what to type up in a police report. We live in a big enough city where filing an online police report takes just a few minutes and it's entered into the permanent record, never to be followed up on again. Upon providing that police report, AA re-posted all of the cleaned out miles.
So, while this process is annoying, there are plenty of people, mostly overseas, who probably spend all their time trying to break into people's online accounts and clean out points before anyone notices.
Hopefully you aren't losing your existing miles balance due to this? I think you had bought a big stack back during the SimplyMiles promo a couple years ago (So did I) and may still have a big chunk of miles from it left.
This happened to me in 2019. I had to give up my account I had since 2004. But, once I called they were very helpful and transferred all my details to a new account within 20min. Luckily, I didn't lose any miles etc. I heard of people have lost miles etc. By now, I am used to my new account - but it did take me a few month.
Another way you will get scammed is not dialing the AA reservation number correctly, being off by a number or two, and getting connected to a scam center in India. This happened to me. It all seemed so legit until they started asking me for answers to my security questions.
As many others have said, it is possible for an email address origin to be spoofed as well. It's not super likely, but contact AA via a channel you are 100% sure is real and get them to confirm that way before going any farther.
As others have hinted at, there are definitely other PITA repercussions of getting a new aadvantage number. By far the worst one I've experienced is that many earning and transfer partners will give you a hard time when trying to link a new/second account number to them. Took me 6 calls over the course of a month for Chase to finally OK that my old Flying Blue account went dormant and that I was forced...
As others have hinted at, there are definitely other PITA repercussions of getting a new aadvantage number. By far the worst one I've experienced is that many earning and transfer partners will give you a hard time when trying to link a new/second account number to them. Took me 6 calls over the course of a month for Chase to finally OK that my old Flying Blue account went dormant and that I was forced to create a new one by the airline.
TLDR: If you get a new number, fix all the links to earning/transfer partners ASAP to avoid potential delays. Could take a month +
Happened to me a couple of years back. Got a new advantage number issued. It was linked only to bask bank and I was able to get it linked to the new number. Suspect a wider breach that they have not disclosed.
It is possible that your account number and personal details were found to be part of a security breach. Companies are, slowly, getting better at heading off fraud by proactively de-activating accounts whose details may have been compromised. This is to say that there are two possibilities. One is that someone called in to request a booking or transfer of points, but for whatever reason caused suspicion; no activity would show on your account. Another...
It is possible that your account number and personal details were found to be part of a security breach. Companies are, slowly, getting better at heading off fraud by proactively de-activating accounts whose details may have been compromised. This is to say that there are two possibilities. One is that someone called in to request a booking or transfer of points, but for whatever reason caused suspicion; no activity would show on your account. Another possibility is that your account number and personal details were stolen as part of a wider attack on AA or a partner you have used, and AAdvantage is proactively resetting accounts involved in the breach. I agree that the safest course of action is to call a trusted AAdvantage number and ask to be transferred to the right folks.
There have been a few comments like the one above. It would be quite helpful for the posters to report what they actually did to make sure that the request to change their account number -- a move with many repercussions, some quite negative if one has linked accounts -- was legit.
That you changed your account number and then ran into all sorts of problems would make it seem like you did something that you were not supposed to do !
How did you establish that the request was legit ?!!!
Bear in mind that your account could have been locked due to unusual activity initiated by someone (too many failed login attempts?) that may not cause an email notification, and they have obtained your phone number from some other source. Now they could be trying to obtain enough information from you to allow them to impersonate you and take your new account under their control. The safest route is to call AAdvantage and explain that...
Bear in mind that your account could have been locked due to unusual activity initiated by someone (too many failed login attempts?) that may not cause an email notification, and they have obtained your phone number from some other source. Now they could be trying to obtain enough information from you to allow them to impersonate you and take your new account under their control. The safest route is to call AAdvantage and explain that the account is locked and you've apparently been contacted by their security team. Be suspicious!
Had the exact same thing happen about 3 months ago, as did my partner and another friend living in TX. It's a pain to change, but since making the change, no issues.
@Ben , I would definitely call AAdvantage Customer service first, tell them about what went on, and ask if the number listed in the email is legitimate, and a number known to them.
If they cannot resolve the issue themselves, and need you connected to that department, I would ask them to transfer you directly.
This happened to me recently, and I did the same thing (i.e., didn't sit with them on the phone + verified that this wasn't a phishing attempt).
That being said, the most frustrating part was that my previous AAdvantage number was tied to my Hyatt account so that I could double-dip.. I haven't had any luck getting Hyatt to update my AAdvantage number (or the reverse). Hope you have an easier time about it!
Exactly the same thing happened to me.
I had to change the AAdvantage number I have had for the past thirty years.
None of my existing reservations updated and it has been a nuisance manually updating every reservation and making sure all of my miles from other partners get credited to my account.
I agree they should have simply required a password change. I saw no unusual activity on the account.
Ben, given that *some* problem exists, only use a means to resolve it that is known and trusted (as opposed to some email). That is, you call AA directly at the number posted on AA's website. Use no other means to resolve this issue.
It happened to me about 10 years ago. Never found out what the problem was. I had the same frustration about getting a new number. To this day I really have to think hard to remember the new number but can easily remember my original number.
Exact same happened to me. I am a CK and received the same call regarding needing a new account. AA rep informed it was due to a breach at a major hotel partner. In my case, it turned out to be Marriot. Somehow, because the accounts are linked, my AAdvantage information was also compromised. I did change after 30 years with same AAdvantage number. Miles transferred over. All good but very strange to have new number.
Same exact thing happened to me about one month ago. I was in the middle of a trip and it caused all sorts of problems with boarding status, Admirals Club access and check in. It’s all behind me now, but what a mess!
Noticed someone booked a couple of Hilton nights in china last year (got the email immediately), when I called Hilton to resolve it, they had me create a new account, and restored the points. Trying to memorize the new number was indeed a PITA...
My account got locked too. Maybe it’s a wider issue? Email in my locked account is from someone else. Had to call customer service to change it back and unlock
This happened to me after I had signed up for the TPG app. It was very annoying considering I had my account number since I was a teenager.
Same thing happened to me w/AA 4-5 years ago. Had to get a whole new number, and was not optional. Was not a heavy AA traveler by then and didn’t have many redeemable miles so only so much that could have been done with my account.
That is still not good enough because email addresses can be spoofed. The way I would handle this would be to wait for the email, and then to call, not a number provided in the email,...
That is still not good enough because email addresses can be spoofed. The way I would handle this would be to wait for the email, and then to call, not a number provided in the email, but (in my case as a top UA elite) the UA 1K desk that I have used for years. I would report the issue and ask to speak with the airline's security people. That is foolproof because I initiated the call to a phone number I know I can trust.
Looks like a phishing/spearfishing attempt.
I agree. If it smells like phish, that's because it phish!
@ John @ DCS -- While the execution here is strange, in fairness my AAdvantage account number is locked, so this does seem to be legitimate.
Can't they get the password wrong a few times and trigger an account lock?
@Ben -- I hope you are right because a good phisherman could use something from your brief interaction so far to lock an account even without accessing it.
I still would independently verify, through a channel not at all associated with the initial contact person, that the problem is legit.
@Ben
Maybe it was locked due to too many failed login attempts. Tread lightly.
"my AAdvantage account number is locked, so this does seem to be legitimate"
No, a malicious person could have first caused your account to be locked (e.g. try to log in to it too many times). Then once it's locked, contact you pretending to be AA.
You would need to see the full email header to know that. Of course anyone can change the reply-to. That's child's play. Much harder to fake the AA server names.
That would really piss me off. I've had my AAdvantage number since 1993 (30 years) and from a opsec standpoint, I cannot understand why they would make you create a new account. They don't even cover it up on boarding passes which I seem to lose or carelessly discard every once in a while.
Change the user name, change the account email, change the phone number associated with the account, change the address.
My guess...
That would really piss me off. I've had my AAdvantage number since 1993 (30 years) and from a opsec standpoint, I cannot understand why they would make you create a new account. They don't even cover it up on boarding passes which I seem to lose or carelessly discard every once in a while.
Change the user name, change the account email, change the phone number associated with the account, change the address.
My guess is someone is trying to reset your login credentials but wouldn't you get some email about that ?
Very odd.
@ John G -- Yeah, I'm confused too. If they tried to reset my log-in credentials, I would have received an email. And if they tried to change my email address on file, I would have also received an email about that.
Very strange. Are you able to view the account via Barclays ? I can see my current mileage balance by logging into my Barclays AA account. See if you can view the balance from there.
Unrelated to AA but I have a friend who had a few million Miles and More stolen from him. Someone was able to create a duplicate membership card barcode and make it appear to be in the apple wallet. They...
Very strange. Are you able to view the account via Barclays ? I can see my current mileage balance by logging into my Barclays AA account. See if you can view the balance from there.
Unrelated to AA but I have a friend who had a few million Miles and More stolen from him. Someone was able to create a duplicate membership card barcode and make it appear to be in the apple wallet. They then used the miles for duty free purchases in Germany. I presume they had an ID made up as well but maybe they don't check that. Miles and More didn't even catch it- he figured it out like a year later (older guy who doesn't check his account).
Depending on what email service you use, a hacker with access to your email account can set up macros / mail handling rules to automatically divert certain messages or categories of messages (e.g., all commercial messages) so they don’t appear in your inbox. More sophisticated hacking efforts will gain access to multiple interconnected accounts and services of an individual over time to exploit.
Check your deleted emails. They may have access to your email. That is what happen with me with Netflix. I thought I didn’t get any emails about it. But they went ahead. Access my email account. Deleted the emails (not from the deleted folder). And that is how they were able to change the password. And email of the account.
in a situation like this I would ask them to note my account and I will call back through the normal AA frequent flyer account customer service. They can transfer me to this corporate team if they need to.
I’d call the customer service number at AA listed on the website. Email senders can be spoofed as well, so I wouldn’t trust the number in that email for something so unusual.
I has this happen to me with flying blue a few months ago. I noticed nothing suspicious in my account yet I received email and text messages. Instead of creating a new account, I simply needed to change my password however. No explanation of what triggered the alert was detected.
Are you sure the call itself wasn't fraudulent?
@ grichard -- I was initially skeptical of that too, especially since I was supposed to give all kinds of personal information by phone. While you could fake a caller ID, the email came from [email protected], so it does seem to be legit.
How did you verify the Mail really came from said address? Everyone can spoof any random mail address as sender.
Although it's harder, the from address of an email can be spoofed too. Search for "sender address spoofing".
I would be highly suspicious the interaction really came from American Airlines if you can still access your account as normal. You would think the first thing they would do in this situation is lock down access.
@ putout -- Unfortunately I am locked out of my AAdvantage account...
Hm OK, likely to be legitimate then. My guess is someone knew your email address and some other details and contacted American to try to book an award, or claim one of your recent award bookings was unauthorized. As to why, well, same reason why someone would try to change or cancel your reservations.
That could just as easily be part of the phishing attempt. Purposefully keep trying to access an account with an invalid password to get an account locked so it looks legitimate? Legitimate AA wouldn’t need *you* to give them details to create a new account. They could just say here’s your new Aadvantage number, please use it going forward. Sounds very much a scam to me