Maximise your Avios, air miles and hotel points

Forums Frequent flyer programs British Airways Executive Club Avios stolen (Times story)

  • Ihar 433 posts

    Even BA IT will be hashing and salting passwords. But that’s not the point. If you’re re-using passwords over multiple sites, if one site is hacked then it’s as if all of them have been hacked. If you want to protect your cash/Avios, etc invest in a password manager and re-password your logins with secure/unique passwords.

    In the meantime, my password for HFP is pSpyej@3flvsAGdi – except I’ve changed one character. 1m Avios for the first person to figure out which… 😁

    BA Flyer IHG Stayer 2,972 posts

    BA staff don’t ask for your password though. and I doubt there is anything on a call centre (or even check in agents) screen relating to password for them to see either.

    Other info yes but I’ve never been asked for password = not even the usual random selection.

    I regularly check the passwords part on my iphone / pad and theres a ‘security recommendations’ which flads up where you’ve used the same password on different sites

    memesweeper 1,501 posts

    If you’re re-using passwords over multiple sites, if one site is hacked then it’s as if all of them have been hacked. If you want to protect your cash/Avios, etc invest in a password manager and re-password your logins with secure/unique passwords.

    Invest doesn’t need to be money, just a little time. Bitwarden is free, and will generate a ‘passphrase’ instead of a password, three random words, separated by a special character, capitalised, and with a number thrown in. 99% of websites accept this. If you ever need to transcribe a password by hand from your phone to another computer you are borrowing, it is a whole heap easier to transcribe

    Horse-Battery-Staple1

    than

    J92erlkHsio@f£20%85*7

    … the latter being the sort of gibberish most password managers generate for you.

    I’ve had an issue with the BA site that it accepts a change to a long passphrase, but you cannot subsequently use it for log in. For BA specifically, use three short words (and another a slow hand clap for BA IT).

    John 1,271 posts

    My HFP password is a five letter word all in lower case. If someone steals this account I will make a new one. As a bonus the thief will gain access to accounts on various forums with low password security requirements where I’ve also made worthless posts.

    Mankhool 41 posts

    I have a household BA Exec account and have close in 1 Million Avious in the account and myself should have had 800k.

    My future booking for next April has been cancelled and my email address has been changed from (example abc.xyz@gmail.com to abc.xyz@yahoo.com).

    Just called the BAEC and my account has been locked and been passed for further investigation.

    I am not worried as I dont have immidiate flights in the near future and I believe my 800k Avios should be restored .They cannot give details about my account as it’s been compromised.

    How long would this take and likely outcome? Will they reinstate the flight for next Easter.

    Misty 402 posts

    It’s beyond me how people can hack a password om the BAEC site as I have just spent 15 mins trying to log into my own account. Had to enter stuff four or five times, and all I wanted to do was order some candles. It really is a woeful piece of IT !!!

    Ihar 433 posts

    CORRECT! 😁 Most password managers have a free level, with a “families” account (password sharing, etc) around the $40/y mark. Most also are cross-platform and have auto-fill features so you don’t have to type the user/pass into websites/apps. It literally saves me hours every week, and allows to share certain passwords with my son.

    I have around 500 passwords, and pleased to say I know 3 of them.

    TooPoorToBeHere 301 posts

    Even BA IT will be hashing and salting passwords.

    If they are, they’ll still be logging them in plaintext and slinging the logs into an S3 bucket / line printer / skip in the car park, or some similar idiocy.

    Find that a lot even in high-functioning organisations – state-of-the-art AAA, logging is a disaster.

    Ihar 433 posts

    If they are, they’ll still be logging them in plaintext and slinging the logs into an S3 bucket / line printer / skip in the car park

    Agree! But if you’re using the same password on multiple sites, the weakest site will compromise you. Salting should limit the impact of encrypted password thefts. Sooner or later, individuals are going to have to be responsible for losses related to their own poor security/stupidity. Unless I win the Nigerian lottery – then I don’t care!

    LD27 372 posts

    I have a household BA Exec account and have close in 1 Million Avious in the account and myself should have had 800k.

    My future booking for next April has been cancelled and my email address has been changed from (example abc.xyz@gmail.com to abc.xyz@yahoo.com).

    Just called the BAEC and my account has been locked and been passed for further investigation.

    I am not worried as I dont have immidiate flights in the near future and I believe my 800k Avios should be restored .They cannot give details about my account as it’s been compromised.

    How long would this take and likely outcome? Will they reinstate the flight for next Easter.

    Hope you get things sorted soon.

    What is interesting, is that like you, when my BAEC account was hacked earlier this year the second part of my email address was changed from hotmail.com to outlook.com but the first part remained the same.

    I was given no information as to what had happened. But as I posted at the time, it took about two weeks for my account to be unlocked and for my Avios to be returned.

    Mankhool 41 posts

    @LD27. Thanks for giving your thoughts.

    My only future flight redemption was cancelled when hacked , I have received a Full refund today. They didn’t deduct 35GBP per passenger which was strange as I have paid 27k Avios and 405 GBP and received 405GBP back to my card.Today being only third day for me.

    S879 152 posts

    A member of my family has also got 60k of their Avios stolen. She’s fed up of dealing with call centre staff in SE Asia and after 9 months, BA have closed her case! She had a baby 10 months ago and hasn’t travelled anywhere. It’s ridiculous how they are behaving.

    S879 152 posts

    Also, two days ago my husband changed his BA email to another email address and I was shocked at how it just allowed it in 2 seconds, no verification etc. I know we don’t login with our email but once the email changes all activity, bookings etc. will go to that new email and you wouldn’t even know.

    Ihar 433 posts

    Security, like charity, starts at home. Sure, call out poor security. But don’t blame others for your own failings.

    In the case of changing an email, 2FA would help as would notifying the original email account of the change (did that happen?). But there’s a good chance they’ve access to your email account too, so that doesn’t help.

    Mankhool 41 posts

    BA have called me twice yesterday and it took 5 days to act on my account, My cancelled flight booking was reinstated with a New booking reference, My email address has been updated from the hacked Email address , I have also changed password to a New one.

    My email address has been changed from gmail to mail by the offender.

    My account will be unlocked by the Audit team on Monday and the Avios balance has been restored to where it should be yesterday.Thanks BA.

  • You must be logged in to reply to this topic.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.