Maximise your Avios, air miles and hotel points

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

Avios wing 15

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

The image below, click to enlarge, explains a bit more about how the dark web works:

What is the dark web?

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.


How to earn Avios from UK credit cards (May 2023)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

SPECIAL OFFER: Until 30th May, the sign-up bonus on the Barclaycard Avios Plus Mastercard is doubled to a crazy 50,000 Avios! Apply here.

SPECIAL OFFER: Until 30th May, the sign-up bonus on the free Barclaycard Avios Mastercard is doubled to 10,000 Avios. Apply here.

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

CRAZY 50,000 Avios for signing up (to 30th May) and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

10,000 Avios for signing up (only to 30th May) and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £12,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points.

SPECIAL OFFER: Until 13th June, the sign-up bonus on The Platinum Card is doubled to 60,000 Membership Rewards points – and you get £200 to spend at Amex Travel too! Apply here.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

60,000 points AND a £200 Amex Travel voucher until 13th June! Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital On Tap Business Rewards Visa

Get a 10,000 points bonus plus an extra 500 points for our readers Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points bonus and a £200 Amex Travel credit every year Read our full review

American Express Business Gold

20,000 points sign-up bonus and free for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (72)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Sanjay says:

    Great article – very interesting!

  • Mark E says:

    Interesting and slightly worrying. I still find it odd that IHG rewards logins are a four digit PINs.

    • Craig Strickland says:

      In this day and age it’s totally irresponsible, they fully deserve having to replace the stolen points every time an account is hacked.

    • Banana says:

      Happened to me with IHG. 32,000 points stolen. Worst part was that when I called them up using the Skype app, they answered saying “Thanks Mr Rashid for being a spire elite member”… I informed them that wasn’t my name or status. I had to call them again and the exact same thing happened, albeit this time with a different name and status. Truly shocking. I could have made a redemption under those people’s accounts.

      • callum says:

        You can make a redemption just by stating your name and status level? Or their system “recognizing” you meant you could just make any redemption you wanted with no further checks?

        • Banana says:

          The latter. It patched me through like I had already cleared security.

    • Steve-B says:

      When you renew Ambassador status, IHG send out the member’s account number and PIN in clear text on the confirmation email, which says a lot about their lax attitude to account security.

      • Dave says:

        Yes they did do but I alerted them to this and subsequent renewals don’t have the pin on the Email.

        • Steve-B says:

          I wouldn’t be so sure – my latest renewal email still have this information on and that was only two weeks ago.

        • Dave says:

          Not on my November renewal, they might as well put your credit card details on the mail too! I hope you had a go at them for their security balls up if your renewal has your pin on it?

  • Polly says:

    Surprising they sell on that info so cheaply. Would have thought it way more valuable.

    • John says:

      Some (most? all?) of the sellers are scammers. That report just lists prices, but who knows whether you actually get anything for your money, or it just disappears and leaves you feeling stupid?

      I wonder how much it costs to buy an account used to sell stolen data with good reviews. It’s probably easier to make money this way than actually using stolen data.

  • shd says:

    OT: am currently at nearly 800 TPs, collection year ends early August.

    I take 25-30 (mostly short-haul) flights per year with BA. Have been trying to whittle down that Avios balance by deliberately booking RFSes and saving the £££. Great value per Avios spent, but sucks for keeping status.

    Dilemma: stop collecting TPs and back to booking RFS now I have Silver renewed?

    …or push on to 1500 to get Gold for 18 months and Silver for another year after that?

  • Lumma says:

    Having an Uber account hacked and blocking it isn’t as simple as you might think. It happened to me a few months back, I kept getting notifications on my phone that drivers were on their way. Changing the password didn’t help, even trying to delete my account didn’t work as it takes 30 days to delete an account forever and a few minutes after deactivating the account I’d get an email saying “welcome back to Uber”

    Worst thing if it happens to you is that there’s no simple way of contacting them to put a stop to it immediately, no phone number or live chat, you just have to send them messages through the app. Couldn’t even remove all my payment options, I was left with PayPal and had to call them to block any further payments to Uber.

    I eventually got Uber to deactivate my account permanently and have never used them since. Uber even have the cheek to blame the user when it happens for not having secure enough details

    • Crafty says:

      Could you have removed all payment methods, or does it make you leave one?

      • Trev says:

        On iOS at least, you could just have Apple Pay setup which would only work on your iPhone (that’s what I usually do) that way there are no card details linked which may be compromised if someone hacked my Uber account.

        The downside is that when you travel, if Apple Pay isn’t enabled in the country you go to you will need to add a card whilst you are away before you can book a ride which I discovered in Portugal last year.

      • Bagoly says:

        This is when it is useful to have at least one credit card one does not use (but one does need to remember the security details, and one wants it to be from a credit card provider with good service!)
        Add this “throwaway” card, remove all the others, and then block payments from that card to that provider.
        Thinking about this, perhaps this is where a Revolut virtual card could be useful – one can block it on the app (but to all payees)
        Does anybody have any experience with in-app blocking with other fintech card providers?

        • TGLoyalty says:

          Curve and Monzo also allow you to lock the card but you everyone rather than just 1 merchant.

        • Tom says:

          Another good use of a “throwaway card” with a low credit limit is for car rentals. It stops the rental company sticking a large amount for damage on your card, in case you have an accident

        • Will says:

          Starling also allows their debit card to be blocked in app

          • Rob says:

            Curve allows in-app blocking. I did it when I lost my wallet last year.

    • OOCH says:

      I had my Uber details stolen which somebody used for Uber eats to 5 separate addresses in London. I kept getting the receipts through and they totaled around £200. At first Uber tried to blame me also, asking if I had given my details to anybody. After insisting I had never been to that area and have never given my details to anybody they credited my account as did my credit card company to cover me initially. I think I identified the person who was ordering all the food because she had registered a business at one of the addresses and also worked at a nursery where some of the food got delivered. I passed it on to Uber but have no idea if they followed it up. I never save my credit card details with any company now.

  • Paul says:

    I would encourage everyone to invest the time in installing a decent password manager. A good password manager will ensure you only have to remember one password. Below are some popular options

    * 1Password (monthly subscription or one time license)
    * KeePass (free, open source)
    * LastPass (free and subscription)

    Once installed, I would review the password policies of the site you visit and use the maximum length they support e.g. Google supports up to 64 characters including special characters such as punctuation. The applications will generate a random password for you. You only have to remember one password, the master password for the app. Using apps like 1Password and LastPass allows you to sync all of your passwords across of your devices.

    Each of the apps I mention above will have browser extensions and/or support the share sheet on your mobile devices. When you go to a website for which you have stored the login details, press the browser button and it will automatically populate the form. No more copying and pasting or remember which variant of your children’s names you used. Every so often make a point to change your site passwords using the app. This ensure do that if someone gets your old password they can’t sign into your account.

    In addition to the above, turn two factor authentication (2FA) if the site supports it. 2FA requires you to validate logging from a new location by using a one time code. The code can be generated through an application like 1Password, Google or Microsoft authenticator (my favourite) or via text message (PayPal uses text message). Sites like Apple, Facebook, Microsoft, google, eBay, Reddit, and PayPal all support 2FA.

    Re personal identifiable questions like the ones HSBC uses. My wife uses different answers on different sites. She keeps a track through 1Password. 1Password allows you to record custom fields when you generate a new login. When she is prompted for one of the answers she simply copies the response across.

    TL;DR – invest in a password manager, generate unique passwords for each site and use two factor authentication

    • Mikeact says:

      Good advice, I use SafeInCloud across all devices , its free and suits me just fine. Being mean, I didn’t want to pay as I was with 1 Password. And then of course, there are other options to back everything up to the cloud, which can be a safety net when traveling.

      • Trev says:

        Just remember though that the service costs money to run so if you aren’t paying, how do they make money? If it’s a cloud only service and it goes out of business, can you get access to all your account logins?

        • Mikeact says:

          Trev…if Dropbox go belly up, then I guess we’re all in trouble.

          • Rob says:

            Technically you’re not, because your stuff is also on the hard drive of all your synced computers. I see it as safer than just having stuff on a hard drive that could be stolen or break. There are NO FILES AT ALL on any of my PCs – the only active folder is Dropbox and everything goes in there and syncs between a) my home laptop, b) my office laptop and c) my 13 inch travelling laptop.

            There is also a HFP sub-directory which is shared with Anika and all the company stuff is done in there.

    • Edd says:

      I’ve tried LastPass but found it clunky and thought it integrated poorly with Chrome. If you have other recommendations I’d like to use them but I’ve just found all the solutions suboptiomal so far…

    • Susan says:

      Have always worried that this meant the baddies only needed to know the password manager password and everything would be insecure?

      • Ray. says:

        Same here, also concerned if there were to be a problem with the password manager,then I would be unable to get access to none of my accounts.

      • Trev says:

        That’s why you want to use a second factor for authentication (e.g. a one time code generated by something like google authenticator) for your password manager. That way a hacker would need to figure out your password manager password plus a 6 digit code which changes every 30 seconds.

        • Bagoly says:

          But these password managers are honeypots to hackers, so they are presumably trying some advanced methods to get in. The providers are advanced too, but imagine what happens when one does get cracked – then everything is blocked.
          With individual accounts, in a very bad scenario, one may end up with one bank chasing one for a fraudulent debt, but at least one can use other accounts to live.

    • Jimbob says:

      Having had my debit card details recently cloned, and not sure how, I’ve become rather paranoid.
      Looked at the password managers, and as others have said, appear rather clunky, but perhaps it just getting used to it.
      I suppose my greater concern, is if someone hacks into the password manager database centrally. I’d assume that they would be highly prized hack

      • Paul says:

        It is a case of getting used to them. I personally use 1Password as it offer functionality like watchtower, large text, etc. The browser integration works well as does the share sheet (the box with the arrow pointing up in iOS). Quite few apps ( have integrated the service into their app so you can just click a button, authenticate via TouchID/FaceID and automatically login.

        The databases are encrypted. MSecure (another great password manager though not as feature rich as the others I mentioned earlier) for example uses blowfish encryption which has never been cracked. 1Password uses AES 256-bit encryption which is industry standard

    • Mr Dee says:

      Buy a Macbook Pro with Touch ID and you can just use fingerprint recognition to access your 1password or through an iphone

    • Brighton Belle says:

      I bought 1Password but it just couldn’t cope with the variety login protocols in the Uk. I stopped using it because it just didn’t deliver the smooth logins it promised. Not everything is just Username + Password.

      Has anyone in the UK got it to work successfully?

      • Mr Dee says:

        Don’t have any problems using it, if you mean multiple pages where you need your details entering then it may require some setting up initially, also the using a certain character or number from your password may take some getting used to. Either way much better than nothing.

      • Trev says:

        I’ve been using 1Password for quite a few years in the UK, there are a handful of websites that the “auto fill & submit” doesn’t work for but on the occasion that happens I just copy/paste the password manually. I happily take the extra security of per site complex passwords over the occasional inconvenience!

      • Hector says:

        I’m using1password in the UK and have done for several years. I would not be without it.

    • N says:

      Can I be cheeky and leave my Last pass referral here? If you register, we each get a free month of Premium.

      I’d recommend it, but I appreciate you may take my opinion as biased!

  • Mjngus says:

    How long before someone manufacturers junk Facebook accounts via a cheap click factory and some stock images, then sells them for £3+ each on the dark web? This would be some great poetic justice (albeit a one off if the feedback mechanisms on the dark web worked).

    • John says:

      It’s probably happening already.

    • Fenny says:

      A huge number of FB accounts are already fake, used for farming likes so they can access personal details. If FB really cared about any kind of privacy for their customers, they could easily block and delete the fake accounts. But they are happy to keep them, as they sell them along with everyone else’s data to advertisers.

  • IslandDweller says:

    @Lumma. One of the (many) issues in the tfl vs Uber court case is that the London mini cab licencing regime (and to operate in London Uber had to have a mini cab licence) requires the cab operator to have a manned London phone number. This is something that Uber was not complying with, but has now pledged to implement. Of course, there are many other issues at stake here – I seem to recall it’s due back in court next month.

    • Ja Lawrie says:

      I’m amazed how many people blatantly sell Avios and Virgin Miles on eBay. Because of high transfer costs many sell them and just provide the login details…….

      A lot of this is common sense. Just been article on breakfast tv that hacked twitter accounts are asking people to send them cyber currency. Hacked Elon Musk account asking if they send money needed for development of next best thing then he’ll send double back. So the multi billionaire boss of American Tesla firm resorts to Twitter for money…… appears fraudsters making $50k day!!!

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.