Forums › Frequent flyer programs › British Airways Executive Club › Account hacked
-
Sorry but I fully support the filofax/notebook method. They can’t be hacked, a password manager can.
Can a password manager be hacked?? Source? A filofax/notebook can be stolen (or not stolen, just photo’ed) and the likelihood is that the passwords are still easy to brute-force because they have to be easy to type. But still a LOT better than using the same password for multiple websites.
Not that I’d use it myself, but for an average user Google/Chrome will do a good job of creating and remembering your passwords (and auto-filling them). Unique passwords is IMHO the #1 security measure. No-one hacks the banks – the hack PC World or BA and then use those credentials..
@lhar If someone ransacks her flat they’re unlikely to steal a non descript tiny black book buried in a drawer. If they steal her laptop her credentials aren’t saved, so no threat. NEVER save your credentials on a device.
Yes password managers get hacked. Lastpass did.
Brute forcing isn’t an option any more as systems are set to lock an account after 3-5 bad attempts. You’ve been watching too many old movies 🙂
Well the Lastpass hack did involve brute forcing. Lastpass like 1Password only stores encrypted vaults so the hackers should not have been able to access the data in users’ vaults, but they brute forced the master passwords to decrypt the vaults. Then they sucked out the crypto wallet keys they could find and pocketed all that lovely cryptocurrency.
I guess some people really don’t like passwords and choose things like ‘tiddles’ or ‘fido’ as the their master password.
Of course even strong passwords can be brute-forced on a large GPU cluster but you’d need to know that the target password vault was worth the 10s of k$ that it would cost to attack just one master password.
Well the Lastpass hack did involve brute forcing. Lastpass like 1Password only stores encrypted vaults so the hackers should not have been able to access the data in users’ vaults, but they brute forced the master passwords to decrypt the vaults. Then they sucked out the crypto wallet keys they could find and pocketed all that lovely cryptocurrency.
I guess some people really don’t like passwords and choose things like ‘tiddles’ or ‘fido’ as the their master password.
Of course even strong passwords can be brute-forced on a large GPU cluster but you’d need to know that the target password vault was worth the 10s of k$ that it would cost to attack just one master password.
This is one of the reasons I like 1Password – it uses two passwords to form the master password. One is a very long and complex password that you enter once, on any machines you want to use 1Password with e.g. your desktop, laptop and phone. You then set a master password. This could be ‘tiddles’. If someone manages to get your vault, they would need both passwords to access it – and with the complexity of the ‘static’ master password, brute forcing the vault would be almost impossible. That being said, the downside of 1Password is that you have to enter the complex password on every machine you want to use it on, once. This can confuse some people.
Lastpass has indeed had a string of “bad luck” (hacks). One wonders whether other password managers have also suffered a similar fate but have not detected/admitted it – we’ll never know. The point of a master password (salted) is that it should be complex enough to resist brute-force attack. Hence my comment about brute-force – you can’t do it on an active system (as @davefl rightly says) but if you’ve stolen the encrypted password DB then you can do it offline. So if you re-use passwords across sites you are vulnerable to the least secure site being hacked.
I still use Lastpass and trust it is secure. I’m sure there are better/cheaper alternatives. Please use any of them – but do use one! BTW nice to see BA asking for my 2FA today (Google authenticator) on a computer I hadn’t used in a while. Of course the rest of the website experience was awful as usual!
Although to be fair, BA doesn’t exactly help itself.
For example, for me, if I log into my BA account, look at my personal information, then log out. If I then log in as another person in the household, then go to personal information, I see my’s information there.
If I log out, close the browser and then then go back in as the second person, and change their email address, then log out and close the browser, if I try to log in as the first user, I get a message saying I haven’t validated the new email address of the second user.
Basically a security nightmare; seems their session cookie management is broken. Do others see this?
Although to be fair, BA doesn’t exactly help itself.
For example, for me, if I log into my BA account, look at my personal information, then log out. If I then log in as another person in the household, then go to personal information, I see my’s information there.
If I log out, close the browser and then then go back in as the second person, and change their email address, then log out and close the browser, if I try to log in as the first user, I get a message saying I haven’t validated the new email address of the second user.
Basically a security nightmare; seems their session cookie management is broken. Do others see this?
This happens to me as well, although I haven’t logged on three times. However I go into my own account, do what I need to do, then log out and go into my OH’s account (he has the voucher that opens up extra availability) and it brings up all my details, which is most frustrating and a bit worrying. even though I am using his email and password.
I actually log out again, shut my system down, turn off the computer and turn it back on again. Then it works.
As you say a security nightmare.
@Misty you don’t need to go through all that trouble, just open an Incognito/InPrivate window in whatever browser you use.
If I log out, close the browser and then then go back in as the second person, and change their email address, then log out and close the browser, if I try to log in as the first user, I get a message saying I haven’t validated the new email address of the second user.
Basically a security nightmare; seems their session cookie management is broken. Do others see this?
Yes I’ve commented on it before. It’s the same reason you often get told you have multiple tabs open. Very poor session cookie handling. Incompetent web design or poor load Balanacer configuration.
Although to be fair, BA doesn’t exactly help itself.
For example, for me, if I log into my BA account, look at my personal information, then log out. If I then log in as another person in the household, then go to personal information, I see my’s information there.
<snip>
Basically a security nightmare; seems their session cookie management is broken. Do others see this?Please tell BA and at the same time the ICO https://ico.org.uk/make-a-complaint/ . This is a serious data protection breach, not just a glitch in the matrix. If their cookie mamangement is broken it could leak a lot more information
For those who want to try it for themselves, make sure you are using Microsoft Edge on a Mac. Safari appears to work ok. Note Edge also won’t ask you for the 2FA protection too – you just zip straight in with username and password, even if 2FA is set up.
and yes, I will tell BA and from experience, won’t expect them to do anything about it unless they get a number of complaints.
@Misty you don’t need to go through all that trouble, just open an Incognito/InPrivate window in whatever browser you use.
Thanks Dave, note to self must go into porn mode when wanting to log into BA. You can rely on me to find the most difficult way to do things !
I also get informed that I have multiple tabs open when I do not.
Yep porn mode won’t stop the incorrect multiple tabs open issue but it will allow you to have two accounts open simultaneously.
Thanks Dave, note to self must go into porn mode when wanting to log into BA. You can rely on me to find the most difficult way to do things !
@Misty I love that we’re talking about the Internet and browsers and you have 404 posts. 😂 😁 My wife is always on the BA website when I’m not looking so I guess it does count as “travel porn”Thanks Dave, note to self must go into porn mode when wanting to log into BA. You can rely on me to find the most difficult way to do things !
@Misty I love that we’re talking about the Internet and browsers and you have 404 posts. 😂 😁 My wife is always on the BA website when I’m not looking so I guess it does count as “travel porn”Ha, Ha, at travel porn, think you are right. I’m not sure my OH knows how to get on the Club (formerly known as the Executive Club) site. He still sometimes forwards me emails from BA, as he thinks he is being helpful, I have pointed out that I get my own copies. Ho Hum.
Thanks Dave, I’ve kind of learnt to live with the multiple tabs thing. sorry didn’t quote you.
Hi
I have also been hacked. I noticed on Saturday a number of text messages giving me a BA verification code. I hadn’t been trying to log into my account so I knew it wasn’t me. I checked my account and all appeared ok. However, i thought i would change my password etc but noticed my email aaddress was comepltely different to the two i have (one work and one personal). All my avios was in my BA account as were all my tier points – all looked correct except for the email address. I immediately called the BA Silver Telephone Number. Went through all the security questions etc – the BA rep explained that she would put a lock on my account immediately ( I agreed that is what I wanted) – while I waited she sent an email or logged the call with thier invetigations/fraud team. She told me they would email me at one of my correct email addresses when they started looking into the issue. They would look to see if there were any unauthorised or suspicious transactions. That was Saturday 19:07 UK time – today at, Monday at 19:02 I got an email from BA marked Priavte and Confidential – nothing saying uergent etc as is sometimes a give away, all the links look official – nothing untoward, also another email just after at 19:02 asking me to confirm my email address – on that email I noticed my Avios total was now 56 avios with the correct tier points etc. My heart sank!!!!! I have/had 100 times that in my account. My Lifetime tier points looked correct. I tried to log in but didn;t work, so i changed my password still won’t let me. But i can see on the App that a trasnfer to IBPL was made on Saturday (the same day I ring the Silver Telephone line). So the avois were on my account when i rang, the BA rep was supposed to LOCK my account right then and there, she couldn’t see anything untoward when i spoke to her other than the wrong email address. So somehow, it appears my account wasn’t locked when she told me she locked it – I can’t think of anything else.
I have tried to ring this evening but the offices are closed.
Surey, BA has to reinstate my Avois – I did exactly as I should have done by phoning, advising that someone was trying to hack my account, and agreed for BA to lock my account. So what else could I have done?
Any advice would be greatly appreacated. I have been saving up my Avois for a trip of a lifetime, my 65th and my partner 60th brithdays. I am compltely and utterly gutted and beyond upset.
Many thanks for any constructive advice.
M BaldrickMr. Baldrick, you can expect this to be fixed by BA. It will take time but they should fix it. Give them a call tomorrow morning to get it started. I’m sure you will take that trip 🙂
Mr. Baldrick, you can expect this to be fixed by BA. It will take time but they should fix it. Give them a call tomorrow morning to get it started. I’m sure you will take that trip 🙂
THank you for the reassuarnce – i sure hope they can. Thanks again
You should be fine. The Avios can be tracked and cancelled immediately (unlike banks where funds can already have been moved elsewhere). I’d keep a log of comms just in case (dates, times) so it can easily be verified.
Hi
Update – all my avios have been returned to my account. Hurrah!!! Thank you all for your answers and support.
Hi
Update – all my avios have been returned to my account. Hurrah!!! Thank you all for your answers and support.
Good news, hope you enjoy that holiday now.
Worrying how its always via IB. I have a large balance in there already so hope its not too easy to hack.
took around 3 weeks but eventually got all my avios back. thanks for all the information and advice
Hurrah! I thought my account was hacked – turns out my wife is spending my Avios for trips with friends 😁 Not sure whether to lock down the account or not!
But seriously, unlike “cash” the Avios can’t easily be transferred out/spent anonymously, so you should always get made good. There are so many ways to scam/hack that you should always take any spurious verification texts/emails seriously, as they are probably part of a phishing attack. BUT – IN BIGGER CAPITAL LETTERS IF I CAN – never click on a link in such an email but check online or call your bank/provider.
- You must be logged in to reply to this topic.
Popular articles this week:
New to Head for Points?
Welcome! We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.
Latest Forum Posts
-
NorthernLass on The ‘How to book the return leg with 2-4-1 companion voucher’ thread
-
bigmaggot on Chat thread – Monday 10th February
-
davefl on Is BA customer service getting worse?
-
davefl on Chat thread – Monday 10th February
-
Ant M on Chat thread – Monday 10th February
-
LittleNick on Iberia or Qatar program
-
gerjomarty on The mobile data / international roaming thread
-
memesweeper on BA Executive Club status 2025 – first cracks ?
-
Rich_A on Chat thread – Monday 10th February
-
waterss100 on The ‘How to book the return leg with 2-4-1 companion voucher’ thread
Check reward flight availability instantly for free!
Booking a luxury hotel?
Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.