Forums › Frequent flyer programs › British Airways Executive Club › Avios stolen (Times story)
-
Even BA IT will be hashing and salting passwords. But that’s not the point. If you’re re-using passwords over multiple sites, if one site is hacked then it’s as if all of them have been hacked. If you want to protect your cash/Avios, etc invest in a password manager and re-password your logins with secure/unique passwords.
In the meantime, my password for HFP is pSpyej@3flvsAGdi – except I’ve changed one character. 1m Avios for the first person to figure out which… 😁
BA staff don’t ask for your password though. and I doubt there is anything on a call centre (or even check in agents) screen relating to password for them to see either.
Other info yes but I’ve never been asked for password = not even the usual random selection.
I regularly check the passwords part on my iphone / pad and theres a ‘security recommendations’ which flads up where you’ve used the same password on different sites
If you’re re-using passwords over multiple sites, if one site is hacked then it’s as if all of them have been hacked. If you want to protect your cash/Avios, etc invest in a password manager and re-password your logins with secure/unique passwords.
Invest doesn’t need to be money, just a little time. Bitwarden is free, and will generate a ‘passphrase’ instead of a password, three random words, separated by a special character, capitalised, and with a number thrown in. 99% of websites accept this. If you ever need to transcribe a password by hand from your phone to another computer you are borrowing, it is a whole heap easier to transcribe
Horse-Battery-Staple1
than
J92erlkHsio@f£20%85*7
… the latter being the sort of gibberish most password managers generate for you.
I’ve had an issue with the BA site that it accepts a change to a long passphrase, but you cannot subsequently use it for log in. For BA specifically, use three short words (and another a slow hand clap for BA IT).
My HFP password is a five letter word all in lower case. If someone steals this account I will make a new one. As a bonus the thief will gain access to accounts on various forums with low password security requirements where I’ve also made worthless posts.
I have a household BA Exec account and have close in 1 Million Avious in the account and myself should have had 800k.
My future booking for next April has been cancelled and my email address has been changed from (example abc.xyz@gmail.com to abc.xyz@yahoo.com).
Just called the BAEC and my account has been locked and been passed for further investigation.
I am not worried as I dont have immidiate flights in the near future and I believe my 800k Avios should be restored .They cannot give details about my account as it’s been compromised.
How long would this take and likely outcome? Will they reinstate the flight for next Easter.
It’s beyond me how people can hack a password om the BAEC site as I have just spent 15 mins trying to log into my own account. Had to enter stuff four or five times, and all I wanted to do was order some candles. It really is a woeful piece of IT !!!
CORRECT! 😁 Most password managers have a free level, with a “families” account (password sharing, etc) around the $40/y mark. Most also are cross-platform and have auto-fill features so you don’t have to type the user/pass into websites/apps. It literally saves me hours every week, and allows to share certain passwords with my son.
I have around 500 passwords, and pleased to say I know 3 of them.
Even BA IT will be hashing and salting passwords.
If they are, they’ll still be logging them in plaintext and slinging the logs into an S3 bucket / line printer / skip in the car park, or some similar idiocy.
Find that a lot even in high-functioning organisations – state-of-the-art AAA, logging is a disaster.
If they are, they’ll still be logging them in plaintext and slinging the logs into an S3 bucket / line printer / skip in the car park
Agree! But if you’re using the same password on multiple sites, the weakest site will compromise you. Salting should limit the impact of encrypted password thefts. Sooner or later, individuals are going to have to be responsible for losses related to their own poor security/stupidity. Unless I win the Nigerian lottery – then I don’t care!
I have a household BA Exec account and have close in 1 Million Avious in the account and myself should have had 800k.
My future booking for next April has been cancelled and my email address has been changed from (example abc.xyz@gmail.com to abc.xyz@yahoo.com).
Just called the BAEC and my account has been locked and been passed for further investigation.
I am not worried as I dont have immidiate flights in the near future and I believe my 800k Avios should be restored .They cannot give details about my account as it’s been compromised.
How long would this take and likely outcome? Will they reinstate the flight for next Easter.
Hope you get things sorted soon.
What is interesting, is that like you, when my BAEC account was hacked earlier this year the second part of my email address was changed from hotmail.com to outlook.com but the first part remained the same.
I was given no information as to what had happened. But as I posted at the time, it took about two weeks for my account to be unlocked and for my Avios to be returned.
@LD27. Thanks for giving your thoughts.
My only future flight redemption was cancelled when hacked , I have received a Full refund today. They didn’t deduct 35GBP per passenger which was strange as I have paid 27k Avios and 405 GBP and received 405GBP back to my card.Today being only third day for me.
A member of my family has also got 60k of their Avios stolen. She’s fed up of dealing with call centre staff in SE Asia and after 9 months, BA have closed her case! She had a baby 10 months ago and hasn’t travelled anywhere. It’s ridiculous how they are behaving.
Also, two days ago my husband changed his BA email to another email address and I was shocked at how it just allowed it in 2 seconds, no verification etc. I know we don’t login with our email but once the email changes all activity, bookings etc. will go to that new email and you wouldn’t even know.
Security, like charity, starts at home. Sure, call out poor security. But don’t blame others for your own failings.
In the case of changing an email, 2FA would help as would notifying the original email account of the change (did that happen?). But there’s a good chance they’ve access to your email account too, so that doesn’t help.
BA have called me twice yesterday and it took 5 days to act on my account, My cancelled flight booking was reinstated with a New booking reference, My email address has been updated from the hacked Email address , I have also changed password to a New one.
My email address has been changed from gmail to mail by the offender.
My account will be unlocked by the Audit team on Monday and the Avios balance has been restored to where it should be yesterday.Thanks BA.
- You must be logged in to reply to this topic.
Popular articles this week:
New to Head for Points?
Welcome! We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.
Latest Forum Posts
- BA Flyer IHG Stayer on Any method to transfer / exchange Avios to Virgin points
- strickers on Chat thread – Sunday 19th January
- Michael C on Chat thread – Sunday 19th January
- chrishond on BA to prevent UK callers ringing US
- BBbetter on The Malaysia and KL master thread
- Jill Kinkell on BA schedule change affecting connecting flight
- BBbetter on Chat thread – Saturday 18th January
- SamG on BA to prevent UK callers ringing US
- Misty on Account hacked
- davestat on The Malaysia and KL master thread
Check reward flight availability instantly for free!
Booking a luxury hotel?
Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.