Maximise your Avios, air miles and hotel points

I’ve nothing to add to the BA hacking saga, but feel free to add your comments here

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

A huge percentage of Head for Points readers, including myself and my wife, are currently locked out of their Avios accounts.

Changing the password simply shows a zero Avios balance which BA appears to have confiscated ‘for my own good’.

I don’t know anything more except what has been said in the email below. Looking at reports on Flyertalk, it seems that there is NOT a specific exterior service causing the problem.  AwardWallet and TripIt have NOT been compromised.

Avios wing 8

However, my best guess is that BA is trying to find accounts which HAVE been the target of suspected hacks.  If you are registered with AwardWallet then your account will have been accessed from outside the UK by AW on a regular basis and this may have flagged you as high risk.  This is only a guess.

I have nothing more to add which adds to the discussion, to be honest.  We can use this article for comments on the topic, however.

The letter from BA goes:

Dear Customer

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.

For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.

In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.

We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.

British Airways Executive Club team

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (146)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Johnny5a says:
    28 Mar28 March 12:46

    My whole family are not affected. Looking at the awardwallet statement and talking to others about this, seems like those who are affected use username/email address to login.

    I’ve found the people who are not affected are those who use their EC number to login.

    • Alan says:
      28 Mar28 March 12:49

      Sorry but need to dash that theory – both myself and a friend both only use BAEC numbers as ID for logging in and both of us have had our accounts zeroed.

      • david cliff says:
        28 Mar28 March 14:17

        Me too, I use my Exec number to log in and a random made-up password (not an e-mail or any kind of username) and my account has been suspended. Im a little annoyed as I was not contacted bt BA about this, and i’ve just spent a rather frustration 40mins on the phone to get the link sent to me to re-set my password.

        • Johnny5a says:
          29 Mar29 March 07:20

          Further discussions with friends who have been affected by this.

          My family can only login using our exec numbers, not email not username.

          Turns out some accounts can use either exec numbers or email address or a username

    • Kevin says:
      28 Mar28 March 12:51

      My whole family use EC number to log in and AW. All four have been locked out.

  • Save East Coast Rewards says:
    28 Mar28 March 12:49

    On a positive note my BA account has been unaffected which is good because I want to spend some Avios.

    Hopefully those that are wanting to spend will get their issues sorted out soon.

  • Andy says:
    28 Mar28 March 12:50

    locked out of my account and haven’t had an email from BA.

    • Raymond Hennessy says:
      28 Mar28 March 12:59

      I use a BAEC # to log in and have been locked out. Have not received an e-mail from BA and have tried to reset my password, but also have not received an e-mail for this(no problem with my e-mail as I receive plenty of marketing guff from BA).
      Have no particular need for accessing my account right now,so will leave it till next week and see if it resolves itself.

      • John says:
        28 Mar28 March 13:01

        I tried resetting my password last night, but no email came. I did it again first thing this morning when they were less busy and the email came instantly.

    • Andrew (@andrewseftel) says:
      28 Mar28 March 13:31

      I’m also locked out, no email.

      Amazing what you can get away with in other industries. Banks would be in big trouble with the FCA!

    • Think Square says:
      28 Mar28 March 13:39

      I wouldn’t be surprised if many of the (near-identical) emails have been eaten by spam filters.

      Mrs Square got the original email but her password reset email hasn’t turned up.

    • david cliff says:
      28 Mar28 March 14:18

      I didnt get one either.

  • John says:
    28 Mar28 March 12:58

    Locked out, Avios total zeroed and no email from BA.

    It’s a total shambles the way it’s being handled. Not even a mention of it on their web site. No wonder their phone lines are at meltdown!

  • Gordon says:
    28 Mar28 March 13:08

    I managed to get though on the phone and they took me through the usual verification of name, address, dob etc. They told me the points would be reinstated before the end of the day. I seriously cant see that happen but lets wait and see

    • Carl says:
      28 Mar28 March 13:11

      I was told the same yesterday morning, when I noticed my Avios was taken “ex gratia”.

      An hour later I couldn’t log in at all. Thought it was just my account, clearly not.

    • david cliff says:
      28 Mar28 March 14:20

      Really ? I have just been advised it will be 7-14 days to get my points re-instated !!

  • Marko says:
    28 Mar28 March 13:11

    I have been told that after a password change it will typically take 5 working date to reinstall the points. However, award transactions will be possible via phone free of charge. The phone lines are incredibly busy.

    I personally find it good that BA information security acts that proactive and deals with a breach of a third party so effective. Please be nice to the people in the call centre!

    • RIccati says:
      28 Mar28 March 14:27

      They should really have thought the consequences. I.e., they could have blocked suspicious redemptions (such as when credit card not in the name of account holder) and then dealt with specific cases IF there were any actual breach.

      I am yet to see anyone to report being actually ‘hacked’, here or on Flyertalk.

  • Peter says:
    28 Mar28 March 13:12

    Locked out. No email.

    Tried to change password, but each time I try I get an error.

    No rush to use points so going to sit it out…

    • James says:
      29 Mar29 March 17:39

      No email here either.. It is pretty bad that this has happened without a word from BA. So long as they are back in time to book redemptions before April 28th 🙂

      • David BS says:
        30 Mar30 March 00:15

        Same here. It would be helpful if a general update was posted by BA since so many affected. Customer service?

  • Richard says:
    28 Mar28 March 13:39

    The phrasing of the email from BA is a bit confusing – but as an IT professional in a previous life, I can make a fairly confident guess at what’s happened.

    Lots of people (I’m sorry to say, myself included) use the same password for several completely different websites. For example, my BA password is the same one as I use to log into the Guardian website. I shouldn’t re-use passwords like that, and I certainly shouldn’t admit it in public, but almost everyone does.

    Occasionally a website gets hacked (for example, LinkedIn was notoriously hacked a couple of years ago), and a whole load of email addresses and passwords get leaked. The affected website – LinkedIn in that example – fixes the problem on their own site by forcing everyone to change their passwords. But if you’ve used the same email address and password on other websites, then your account on those websites is compromised, because your password is now out in the open.

    Of course, there’s no easy way for anyone to *know* that you’ve used the same password on (in this case) the BA website. But a hacker who wants to attack BA accounts can just get a big long list of compromised email addresses and passwords, and try them one by one. Occasionally they’ll get lucky.

    My reading of BA’s email is that this last bit has just happened. So the email addresses and passwords might have been leaked a long time ago, possibly from hacking attacks against a variety of different websites. Most likely, those websites had nothing whatever to do with air travel. But recently, someone thought to try all these leaked combinations on the BA site; BA have noticed that happening and (very rightly) taken action.

    So, please everyone, let’s not go overboard being outraged. It’s annoying, but I think they’re handling it very well.

    Oh, and on the point that you can still be locked out even if you use your BAEC number to log in… BA does know your email address though. So they might have decided to err on the safe side, and lock your account if the attacker tried to log on using your email address and correct password. The login wouldn’t have worked, but it would still demonstrate that your password was compromised and ought to be changed. Again, if that *is* what’s happened, then BA have done exactly the right thing.

    • RIccati says:
      28 Mar28 March 14:54

      Except for the small ridiculous fact that ba.com password reset accepts the old password to be set as new!

      • Paul says:
        28 Mar28 March 18:18

        Many IT systems don’t keep a password history, just the current one. I don’t know how BA locked the accounts but they may have done it by deleting the current password (so the password reset system wouldn’t know it was different).

        Their reset system may not have been designed with possibly hacked accounts in mind. Personally I find it frustrating when systems refuse to let you use a password you have in the past.

    • Paul says:
      28 Mar28 March 15:31

      Am sorry but cannot agree. Avoid is a currency and as such should have been protected by BA in the same way my bank protects my money. American Express when they detect anything unusual call me, my bank send s text messages and each provide clear concise information on how to fix things.
      BA sent an anonymous email dressed to “dear customer” in which they blamed a 3rd party. Many took that to Award Wallet who have now responded. It looks and feels like the type of email you should delete which is what I did. Once it became clear the problems was huge, i followed the reset process which did not work. I called this morning and got cut off so busy are the lines. When I did get through the 1st agent was clueless, genuinely did not know what was going on or how massive the issue was. The second was helpful but was unable to generate a rest email. You cannot book a flight even via the phone until the account is unlocked and without the reset email you cannot do that. The best she could offer was to pass my details along to the Monday to Friday teams with absolutely no indication of when I might have access again.
      This is a farce and they have learned nothing from Sony or other high profile incidents. They appear to have panicked and certainly do not have any proper contingency planning or business continuity in place. They have shut it down and will simply ride out the storm.
      I think that is unacceptable and far from going over board, I think I have every reason to be annoyed that they cannot protect my data and account. A reset process that does not work and when it does allows the same password is surely unfit for purpose and we should be both concerned and annoyed

      • Richard says:
        28 Mar28 March 16:32

        “Avoid is a currency and as such should have been protected by BA in the same way my bank protects my money”

        They have. Try typing the wrong password into your bank website a few times, and see what happens. When I did (completely through my own incompetence), they locked the account and I had to wait until they’d sent me something through the post to re-activate it – which isn’t a million miles away from what’s happened here.

        Yes, it is poor that they let you reset your password to the same thing; they ought to protect us from our own laziness. Do I give them a slap on the wrist for that – yes. Am I shocked, horrified, scandalised, fearful, cutting up my BAEC card and swearing never ever to fly with them again – no.

      • Pol says:
        28 Mar28 March 16:51

        There is no excuse for the lack of communication though. I, like many others have not received an email or any other communication about the problem. I simply get an invalid username/password message when logging in. Would it really be so difficult to place a notice on the BA site or a messege when you phone to explain the problem.

      • Paul says:
        28 Mar28 March 18:14

        * I am a different Paul

        I agree with Richard that many people are overreacting here. Obviously we don’t know the details but I think we should at least give BA chance to fix whatever caused the problem.

        RIccati below says no one on FlyerTalk has been hacked, but how would they know? If BA caught the hackers and stopped it there may be no evidence visible to us.

        Keep in mind that BA probably had to act fast to stop the breach if it was costing them money (ie, avios was being redeemed). My guess is they spotted real suspicious activity, and as a precaution blocked all accounts logged in via an automated routine. At that point they may not have been aware of how the login details were stolen, and AwardWallet may have appeared to be a common link. I can understand why BA may be worried about services like AwardWallet. A single site with a large number of their customers details (worse, most of the users of AW will likely be heavy avios users!). It will be a nightmare for them if it ever does get hacked.

        I admit they could be handling this a bit better, e.g. a message on the login page. But who knows how easy that is to update. Even if it isn’t technically difficult, they may have procedures that make it difficult to make the change quickly without risking breaking anything.

        “Avoid is a currency and as such should have been protected by BA in the same way my bank protects my money”
        If BA do fix everyones accounts then they have protected your avios. You not being able to access it for a few days is not the same as them not protecting it.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

NEW: Sign-up bonuses boosted to 3,000 and 18,000 points

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!