Maximise your Avios, air miles and hotel points

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

Avios wing 15

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (69)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Sanjay says:
    18 Mar18 March 06:21

    Great article – very interesting!

  • Mark E says:
    18 Mar18 March 06:30

    Interesting and slightly worrying. I still find it odd that IHG rewards logins are a four digit PINs.

    • Craig Strickland says:
      18 Mar18 March 07:33

      In this day and age it’s totally irresponsible, they fully deserve having to replace the stolen points every time an account is hacked.

    • Banana says:
      18 Mar18 March 07:38

      Happened to me with IHG. 32,000 points stolen. Worst part was that when I called them up using the Skype app, they answered saying “Thanks Mr Rashid for being a spire elite member”… I informed them that wasn’t my name or status. I had to call them again and the exact same thing happened, albeit this time with a different name and status. Truly shocking. I could have made a redemption under those people’s accounts.

      • callum says:
        18 Mar18 March 11:06

        You can make a redemption just by stating your name and status level? Or their system “recognizing” you meant you could just make any redemption you wanted with no further checks?

        • Banana says:
          18 Mar18 March 15:25

          The latter. It patched me through like I had already cleared security.

    • Steve-B says:
      18 Mar18 March 08:12

      When you renew Ambassador status, IHG send out the member’s account number and PIN in clear text on the confirmation email, which says a lot about their lax attitude to account security.

      • Dave says:
        18 Mar18 March 08:51

        Yes they did do but I alerted them to this and subsequent renewals don’t have the pin on the Email.

        • Steve-B says:
          18 Mar18 March 19:38

          I wouldn’t be so sure – my latest renewal email still have this information on and that was only two weeks ago.

        • Dave says:
          18 Mar18 March 19:48

          Not on my November renewal, they might as well put your credit card details on the mail too! I hope you had a go at them for their security balls up if your renewal has your pin on it?

  • Polly says:
    18 Mar18 March 06:31

    Surprising they sell on that info so cheaply. Would have thought it way more valuable.

    • John says:
      18 Mar18 March 08:05

      Some (most? all?) of the sellers are scammers. That report just lists prices, but who knows whether you actually get anything for your money, or it just disappears and leaves you feeling stupid?

      I wonder how much it costs to buy an account used to sell stolen data with good reviews. It’s probably easier to make money this way than actually using stolen data.

  • shd says:
    18 Mar18 March 06:47

    OT: am currently at nearly 800 TPs, collection year ends early August.

    I take 25-30 (mostly short-haul) flights per year with BA. Have been trying to whittle down that Avios balance by deliberately booking RFSes and saving the £££. Great value per Avios spent, but sucks for keeping status.

    Dilemma: stop collecting TPs and back to booking RFS now I have Silver renewed?

    …or push on to 1500 to get Gold for 18 months and Silver for another year after that?

    • shd says:
      18 Mar18 March 07:27

      If you know of a way to get 8-10p/Avios value flying U2, I’m all ears 🙂

      • Mikeact says:
        18 Mar18 March 07:47

        Here we go again..should be over on Bits.

      • JamesB says:
        18 Mar18 March 07:48

        8-10p is more apparent than real, it usually requires a combination of last minute bookings and a failure to consider alternate carriers and routes.

      • shd says:
        18 Mar18 March 08:16

        I’m happy with my numbers – my last Avios booking to LHR was indeed made two days before departure, on a flight with availability of J2 Y1, and – as always – I checked other carriers and routes. Even the LCCs are eye-wateringly expensive on that and similar routes during holiday time, especially at that notice.

  • Lumma says:
    18 Mar18 March 07:15

    Having an Uber account hacked and blocking it isn’t as simple as you might think. It happened to me a few months back, I kept getting notifications on my phone that drivers were on their way. Changing the password didn’t help, even trying to delete my account didn’t work as it takes 30 days to delete an account forever and a few minutes after deactivating the account I’d get an email saying “welcome back to Uber”

    Worst thing if it happens to you is that there’s no simple way of contacting them to put a stop to it immediately, no phone number or live chat, you just have to send them messages through the app. Couldn’t even remove all my payment options, I was left with PayPal and had to call them to block any further payments to Uber.

    I eventually got Uber to deactivate my account permanently and have never used them since. Uber even have the cheek to blame the user when it happens for not having secure enough details

    • Crafty says:
      18 Mar18 March 08:06

      Could you have removed all payment methods, or does it make you leave one?

      • Trev says:
        18 Mar18 March 09:12

        On iOS at least, you could just have Apple Pay setup which would only work on your iPhone (that’s what I usually do) that way there are no card details linked which may be compromised if someone hacked my Uber account.

        The downside is that when you travel, if Apple Pay isn’t enabled in the country you go to you will need to add a card whilst you are away before you can book a ride which I discovered in Portugal last year.

      • Bagoly says:
        18 Mar18 March 09:41

        This is when it is useful to have at least one credit card one does not use (but one does need to remember the security details, and one wants it to be from a credit card provider with good service!)
        Add this “throwaway” card, remove all the others, and then block payments from that card to that provider.
        Thinking about this, perhaps this is where a Revolut virtual card could be useful – one can block it on the app (but to all payees)
        Does anybody have any experience with in-app blocking with other fintech card providers?

        • TGLoyalty says:
          18 Mar18 March 10:50

          Curve and Monzo also allow you to lock the card but you everyone rather than just 1 merchant.

        • Tom says:
          18 Mar18 March 13:58

          Another good use of a “throwaway card” with a low credit limit is for car rentals. It stops the rental company sticking a large amount for damage on your card, in case you have an accident

        • Will says:
          18 Mar18 March 17:15

          Starling also allows their debit card to be blocked in app

          • Rob says:
            18 Mar18 March 17:50

            Curve allows in-app blocking. I did it when I lost my wallet last year.

    • OOCH says:
      19 Mar19 March 01:04

      I had my Uber details stolen which somebody used for Uber eats to 5 separate addresses in London. I kept getting the receipts through and they totaled around £200. At first Uber tried to blame me also, asking if I had given my details to anybody. After insisting I had never been to that area and have never given my details to anybody they credited my account as did my credit card company to cover me initially. I think I identified the person who was ordering all the food because she had registered a business at one of the addresses and also worked at a nursery where some of the food got delivered. I passed it on to Uber but have no idea if they followed it up. I never save my credit card details with any company now.

  • Paul says:
    18 Mar18 March 07:44

    I would encourage everyone to invest the time in installing a decent password manager. A good password manager will ensure you only have to remember one password. Below are some popular options

    * 1Password (monthly subscription or one time license)
    * KeePass (free, open source)
    * LastPass (free and subscription)

    Once installed, I would review the password policies of the site you visit and use the maximum length they support e.g. Google supports up to 64 characters including special characters such as punctuation. The applications will generate a random password for you. You only have to remember one password, the master password for the app. Using apps like 1Password and LastPass allows you to sync all of your passwords across of your devices.

    Each of the apps I mention above will have browser extensions and/or support the share sheet on your mobile devices. When you go to a website for which you have stored the login details, press the browser button and it will automatically populate the form. No more copying and pasting or remember which variant of your children’s names you used. Every so often make a point to change your site passwords using the app. This ensure do that if someone gets your old password they can’t sign into your account.

    In addition to the above, turn two factor authentication (2FA) if the site supports it. 2FA requires you to validate logging from a new location by using a one time code. The code can be generated through an application like 1Password, Google or Microsoft authenticator (my favourite) or via text message (PayPal uses text message). Sites like Apple, Facebook, Microsoft, google, eBay, Reddit, and PayPal all support 2FA.

    Re personal identifiable questions like the ones HSBC uses. My wife uses different answers on different sites. She keeps a track through 1Password. 1Password allows you to record custom fields when you generate a new login. When she is prompted for one of the answers she simply copies the response across.

    TL;DR – invest in a password manager, generate unique passwords for each site and use two factor authentication

    • Mikeact says:
      18 Mar18 March 07:55

      Good advice, I use SafeInCloud across all devices , its free and suits me just fine. Being mean, I didn’t want to pay as I was with 1 Password. And then of course, there are other options to back everything up to the cloud, which can be a safety net when traveling.

      • Trev says:
        18 Mar18 March 09:15

        Just remember though that the service costs money to run so if you aren’t paying, how do they make money? If it’s a cloud only service and it goes out of business, can you get access to all your account logins?

        • Mikeact says:
          18 Mar18 March 15:27

          Trev…if Dropbox go belly up, then I guess we’re all in trouble.

          • Rob says:
            18 Mar18 March 15:29

            Technically you’re not, because your stuff is also on the hard drive of all your synced computers. I see it as safer than just having stuff on a hard drive that could be stolen or break. There are NO FILES AT ALL on any of my PCs – the only active folder is Dropbox and everything goes in there and syncs between a) my home laptop, b) my office laptop and c) my 13 inch travelling laptop.

            There is also a HFP sub-directory which is shared with Anika and all the company stuff is done in there.

    • Edd says:
      18 Mar18 March 07:59

      I’ve tried LastPass but found it clunky and thought it integrated poorly with Chrome. If you have other recommendations I’d like to use them but I’ve just found all the solutions suboptiomal so far…

    • Susan says:
      18 Mar18 March 08:20

      Have always worried that this meant the baddies only needed to know the password manager password and everything would be insecure?

      • Ray. says:
        18 Mar18 March 08:42

        Same here, also concerned if there were to be a problem with the password manager,then I would be unable to get access to none of my accounts.

      • Trev says:
        18 Mar18 March 09:21

        That’s why you want to use a second factor for authentication (e.g. a one time code generated by something like google authenticator) for your password manager. That way a hacker would need to figure out your password manager password plus a 6 digit code which changes every 30 seconds.

        • Bagoly says:
          18 Mar18 March 09:45

          But these password managers are honeypots to hackers, so they are presumably trying some advanced methods to get in. The providers are advanced too, but imagine what happens when one does get cracked – then everything is blocked.
          With individual accounts, in a very bad scenario, one may end up with one bank chasing one for a fraudulent debt, but at least one can use other accounts to live.

    • Jimbob says:
      18 Mar18 March 08:23

      Having had my debit card details recently cloned, and not sure how, I’ve become rather paranoid.
      Looked at the password managers, and as others have said, appear rather clunky, but perhaps it just getting used to it.
      I suppose my greater concern, is if someone hacks into the password manager database centrally. I’d assume that they would be highly prized hack

    • Mr Dee says:
      18 Mar18 March 09:29

      Buy a Macbook Pro with Touch ID and you can just use fingerprint recognition to access your 1password or through an iphone

    • Brighton Belle says:
      18 Mar18 March 09:49

      I bought 1Password but it just couldn’t cope with the variety login protocols in the Uk. I stopped using it because it just didn’t deliver the smooth logins it promised. Not everything is just Username + Password.

      Has anyone in the UK got it to work successfully?

      • Mr Dee says:
        18 Mar18 March 10:06

        Don’t have any problems using it, if you mean multiple pages where you need your details entering then it may require some setting up initially, also the using a certain character or number from your password may take some getting used to. Either way much better than nothing.

      • Trev says:
        18 Mar18 March 10:10

        I’ve been using 1Password for quite a few years in the UK, there are a handful of websites that the “auto fill & submit” doesn’t work for but on the occasion that happens I just copy/paste the password manually. I happily take the extra security of per site complex passwords over the occasional inconvenience!

      • Hector says:
        18 Mar18 March 10:28

        I’m using1password in the UK and have done for several years. I would not be without it.

  • Mjngus says:
    18 Mar18 March 07:48

    How long before someone manufacturers junk Facebook accounts via a cheap click factory and some stock images, then sells them for £3+ each on the dark web? This would be some great poetic justice (albeit a one off if the feedback mechanisms on the dark web worked).

    • John says:
      18 Mar18 March 07:54

      It’s probably happening already.

    • Fenny says:
      18 Mar18 March 18:58

      A huge number of FB accounts are already fake, used for farming likes so they can access personal details. If FB really cared about any kind of privacy for their customers, they could easily block and delete the fake accounts. But they are happy to keep them, as they sell them along with everyone else’s data to advertisers.

  • IslandDweller says:
    18 Mar18 March 08:06

    @Lumma. One of the (many) issues in the tfl vs Uber court case is that the London mini cab licencing regime (and to operate in London Uber had to have a mini cab licence) requires the cab operator to have a manned London phone number. This is something that Uber was not complying with, but has now pledged to implement. Of course, there are many other issues at stake here – I seem to recall it’s due back in court next month.

    • Ja Lawrie says:
      18 Mar18 March 10:01

      I’m amazed how many people blatantly sell Avios and Virgin Miles on eBay. Because of high transfer costs many sell them and just provide the login details…….

      A lot of this is common sense. Just been article on breakfast tv that hacked twitter accounts are asking people to send them cyber currency. Hacked Elon Musk account asking if they send money needed for development of next best thing then he’ll send double back. So the multi billionaire boss of American Tesla firm resorts to Twitter for money…… appears fraudsters making $50k day!!!

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!