My American Airlines account was hacked—and it’s still not fixed two months later

On July 13, someone hacked into my American Airlines account. I got this email as I was wandering through Target:

American Airlines account hacked

None of these details are known to me

My AAdvantage award? I knew right away that my AA account had been hacked. I had about 87,000 miles in there and 85,000 of them were redeemed for a business-class flight from Houston (IAH) to Toronto (YYZ), under the name Deborah Niang.

At first, I was mostly annoyed. I figured I’d call AA when I got home, have them cancel the flight and redeposit the miles, and move on.

Nearly two months later, I have the miles back… but my AA account is completely messed up. Unsurprisingly, after many phone calls and looong wait times, nothing’s been done.

I’m in this liminal space between two AA accounts: my old, hacked one and a new one with nothing in it but the redeposited stolen miles.

Reaching out to American Airlines

OK so, the AA security department closes at 5pm and by the time I got home, was closed. I called back the next day.

The security people were pleasant enough. They closed the old account and walked me through opening a new one. There was no way I could keep the old account or loyalty number. They assured me everything would switch over “overnight, while you’re sleeping.”

a screenshot of a phone

What my AA account looked like the night of July 13

My AA account wasn’t amazing or anything – I’m not ultra elite, haven’t flown around the world 10,000 times with AA or anything. I had modest Gold elite status, a handful of loyalty points, and just under 2,000 miles left after the hacking.

a screenshot of a phone

I had soooo much stuff plugged into that account

I’d had that account since 2006, so it did sting to lose that loyalty number. I had it memorized and had a bajillion things linked to it:

  • Two AA credit cards (Citi and Barclays)
  • My Hyatt account
  • SimplyMiles
  • AA dining
  • AA shopping
  • Business Extra
  • Bilt, for transfers

I explained all of this to the security department, who assured me it would transfer over. All of it: the loyalty points, the million miler status, the credit card for flight benefits, the dining account, and all the rest.

I wanted it to be as easy as that, but that skeptical voice in my head said, “Yeah, right. You don’t really believe that… do you? This is American Airlines you’re talking about! Ha!”

The new AA account, post hacking

Now I have a new, raw AA loyalty account.

a screenshot of a social media account

This is all the activity in the account, two months later

First and foremost, I wanted to get the miles back. To do that, AA required me to report the loss and get a police report. Within 30 days.

I thought that was a little extreme and I didn’t want to deal with the cops here in Oklahoma City – they’re stretched thin and pointedly asked if I was reporting an “accident, shooting, stabbing, or break-in” when I called.

“Uhhhh… my American Airlines account has hacked? Yeah. And they want me to get a police report.”

To say I was shuffled around to the lowest “I don’t give two shits about this” level of the OKCPD is an understatement. I called and called and called.

I get it: This isn’t that big of a deal in the grand scheme, but American Airlines sent me detailed instructions on what to include in the report and like… just do it. This shouldn’t take days.

American Airlines said my 85,000 miles were worth $2,507.50. And that’s not nothing. So yes, I wanted to report this theft.

a screenshot of a document

The email from AA security

After a million phone calls to OKCPD and a clunky filing system that required filling out forms and sending payments online, I had to wait to receive a paper copy in the mail. (I hope you felt the eyeroll in that italics.)

American Airlines account hacked

This is what an OKC police report looks like, in case you ever wondered. Also, “SKY MILES”

I emailed this report to AA on July 27. Later that night, the missing 85,000 miles and whatever was left appeared in my new AA account. And that’s been the extent of all the activity since then.

So guess I’ll just wait forever?

I’ve called American Airlines security back a few times saying something to the effect of “WTF?” So on the second or third call, the representative told me a “bug would crawl” my account (whatever that means) and move over all the missing information (the AA credit cards, my loyalty points, Gold elite status, etc.)

She said that a status challenge promotion from 2016 (?!) was causing the issue and that there’s no way to take it off my account. Yes, a promotion from seven years ago.

Last week, I called again. They said they’d “escalate” it, which is code for shut up and go away.

I can no longer log in to the old account. The new account has nothing in it. I have a couple of trips later this year that I booked with my old AA number. They said those flights won’t be affected, but now I’m not so sure.

I’ve been checking back daily to see if the “bug” has “crawled” my account, but so far: nothing.

a screenshot of a credit card

Everything attached to the old account is effectively useless now

I tried opening a new SimplyMiles account, but when I went to re-add my cards, the system told me they were already linked to another account. Same for Business Extra. And I’m assuming, same for my AA credit cards and linked Hyatt account and all the other zillion things I linked to the old number over the years.

This is basically a giant hassle and no one is helping me resolve it. My account was hacked and now I’m basically screwed I guess?

I don’t have it in me to be on the phone for more hours or to beg someone to help me with this. This has already taken up way too much of my time already.

Other observations from this “American Airlines account hacked” drama

So that email up there talking about the award redemption was one of many… VERY many. Like, over 1,000 emails gushed into my inbox over an hour.

I’d look every few minutes and dozens more would roll in. It was absolutely crazy-making.

Whoever hacked me added my email to some sort of spam database and the email from American Airlines was buried among them. They were hoping I wouldn’t see it.

Even now, I’m unsubscribing from random email lists (thank gods for spam software).

And despite following American’s instructions to a T, all they’ve done since I emailed the police report is tell me dumb stuff to get me off the phone and then not do anything.

In the end, I have a new, useless account and many services I can’t use with it. Despite assurances of a seamless transition, I don’t think I’ll trust it even if everything does magically roll over.

But, I’m coming up on two months since the hacking and theft and this whole thing is hugely frustrating and time-consuming.

It makes me not want to bother with AA or AA miles or the loyalty points or any of it any more. I’m disappointed, but can’t say I’m surprised. This is exactly what I expect from AA.

American Airlines account hacked bottom line

I’m sharing this to highlight how easily an account can be hacked and the incredible amount of drama required to put everything back into place.

The takeaway for you, dear reader, is to change your passwords often. All of mine are now so “secure” not even I can remember them.

I don’t know what will become of the police report or Deborah Niang or the old AA account – or the new one. This is all so frustrating and will take a long time to fully “reset.” I realize how very white collar this all sounds, but miles are a form of currency and have value. About $2,500 in my case.

Also, just that you can be wandering around Target one minute then bam! – 1,000 emails to scour and literal hours of your life gone to sorting it all out – is rather nuts. And I don’t have any more time to spend on this.

I’m curious if anyone else has experienced this recently? It surely can’t have just been me. Did your situation have a better result than mine? Did American Airlines come through for you? I’m still waiting.

* If you liked this post, consider signing up to receive free blog posts in an RSS reader and you’ll never miss an update!

Announcing Points Hub—points, miles, and travel rewards community. Join for just $9/month or $99/year.

BEST Current Credit Card Deals

  • Capital One Venture X Rewards—Earn 75,000 Venture miles once you spend $4,000 on purchases within the first 3 months from account opening, plus a $300 annual statement credit for travel booked through Capital One
  • Ink Business Preferred® Credit Card—Earn 100,000 Chase Ultimate Rewards points after you spend $15,000 on purchases in the first 3 months and 3X bonus points per $1 on the first $150,000 spent on travel and select business categories each account anniversary year
  • Amex Blue Business Plus—Earn 15,00 Membership Rewards points once you spend after you spend $3,000 in purchases in the first 3 months of Card Membership and 2X bonus points on up to $50,000 in spending per year with NO annual fee

The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

About Harlan

Just a dude living in Memphis, traveling, and working toward financial independence.

More articles by Harlan »

Pingbacks

Comments

  1. Why didn’t you call AA and cancel the flight and ask for the miles to be redeposited? Would that have worked?

    • Maybe, but at that point they’d know my FF number. I thought about that, though. Maybe I should’ve just done that and absorbed the risk. Ah, hindsight.

    • My account was hacked. I did try contacting AA…all that day. I waited online numerous times for over an hour each time. I was never able to get anyone that could assist.

      In the end, I had to cancel all my credit cards and have them re-issued since I could not remember which cards I had attached to my AA account. I also sent an email through the “Contact Us” section asking my account be cancelled. I have no idea how many miles were lost. The most important thing was protecting my credit cards.

      I will never use AA again.

  2. This happened to my AA account as well. I caught it before the flight and had the reservation cancelled and miles redeposited after spending about 30 min on the phone with the AA fraud team.

  3. So, you don’t have time to spend on this, but expect an airline to fix your issues when you were hacked? Sounds a bit entitled. American has how many passengers who may have also been hacked, and how much resources are they supposed to commit to your not being able to connect to your other apps for mile acceleration? You got your new account and miles back. At that point AA did what they were supposed to do at minimum. If they can assist further, great, but to whine about it in a blog is ridiculous!!!

    • If this happens often, I’d expect the protocol to be much smoother and not require hours of my time and multiple followups. And of course I want the new account to reflect the old one. That’s not unreasonable.

      I mostly posted this as a cautionary tale, Karen.

  4. What a mess. I expect nothing less form AA. I had someone book a flight with my CC but didn’t have my airline account info. CC said they’ll cancel the charge, but even though they had a name and a flight time and the police could just show up and arrest them at the flight they weren’t going to do anything. Cops don’t have time for petty crimes like this, and the hackers/scammers know it so they continue to do it and get away with it. It’s easy to be a career criminal when there’s no consequences for being one.

    I hope you can get this settled and be done with it.

    • I need to post an update about this, but it’s starting to wrap up. If this is a common thing, I’d think airlines should have an easier way to handle it. It’s SO messy. I was attached to my old AA number. 🙁

  5. Same thing happened to me, from the spam emails to the hacked AA account. I have the new account but let’s see if everything transfers over…

  6. Same thing happened to me 2 days ago but without the extra spam emails or the police report requirement. 53k miles were used to book a flight by someone I’d never heard of before. I called yesterday and they immediately credited back the miles, but then I sat on hold while they tried to report it to the security department. They ended up having me call back a couple of hours later and the security department offered to set me up a new account, but I declined. I changed my password which was admittedly very old and probably compromised at some point since I’d set this up in 2001. I’m just lucky I noticed the reward redemption email in the first place since I’m not a big user of my Advantage account and wouldn’t have noticed it very quickly otherwise.

  7. Happened to me, just got a new account and the customer service guy couldn’t even give me answers. He just wanted to get off the phone with me fast. In the grand scheme of things, with all the crap going on in the world, I KNOW this is NOT important. However, I just want to vent also. I haven’t done the FBI or police report yet as I haven’t received the email from aa I need.

    I’m pissed they took my status away and can’t get anyone on chat and don’t want to call back.

    UGH, very annoying

  8. Add me to the list of people dealing with this, not sure how many miles were redeemed or how many I had in the account but somewhere in the neighborhood of 60k miles. Tried calling first, 4.5 hour wait time. Contacted via chat to be told I needed to be transferred to a different department. Sat on Chat hold for 45 minutes to be told that was the wrong department. Transferred again with no wait time and finally got my account locked as that was all they would offer me through chat. Now waiting on hold for 30 – 45 minutes for AA Advantage Customer service to figure out next steps.

  9. Happen to my wife’s account just this week. I don’t have conclusive proof, but she uses LastPass (password storage service in the cloud) that was compromised last year. I suspect that was the root as her FB, Instagram and Target accounts were all hacked. FB does not even have a number to call. American has been good. Got a hold of their security group, had to file a police report, created a new account as we could no longer access it. There were two tickets issued using her miles so I hope they arrest the bastards. Waiting for the police report so we can get her miles back.

  10. Same experience, including the spam emails, a few of which are getting into my inbox and promotions box. Any idea how to get rid of those? My local state police, however, promptly provided a police report, so I’m in process with that. AA is requiring a new email account, which is also a pain to set up. Interestingly, I changed passwords within hours of the hack, and nothing else was compromised. Apparently, this kind of theft is focused on stealing FF miles–could have been MUCH worse if the hacker had studied my emails and gotten access to other things before I erased them the next day. I advise readers to look in old email files for anything with financial information or links, and of course, the obvious: change all passwords immediately.

Leave a Reply