Your airline miles, hotel points, and retail rewards have real monetary value — and criminals know it. More than $1 billion in loyalty points are stolen from consumers every year, and 72% of loyalty programs have experienced some form of theft or fraud. If your loyalty account has been compromised, quick action is essential. Here is exactly what to do, step by step, and how to prevent it from happening again.
Why Hackers Target Loyalty Accounts
Loyalty program accounts are attractive targets for a simple reason: they hold value that is easier to steal than cash. Unlike bank accounts, loyalty accounts typically lack strong security measures. Most have no multi-factor authentication, no transaction alerts, and no fraud monitoring. Meanwhile, the points sitting in those accounts can be worth hundreds or even thousands of dollars.
Consider the scale: the global loyalty points economy is valued at over $30 trillion. Airlines alone lose an estimated $3 billion annually to account takeovers, insider theft, and synthetic identity fraud. On the dark web, stolen loyalty accounts sell for as little as $0.75 for a basic account and up to $200 for accounts loaded with hundreds of thousands of miles.
How the Attacks Work
Hackers use several methods to break into loyalty accounts:
- Credential stuffing: Attackers use automated tools to test millions of stolen username-and-password combinations from previous data breaches across loyalty program login pages. Because many people reuse passwords, these attacks have a success rate of 0.2% to 2% — more than enough to be profitable at scale.
- Phishing: Fraudulent emails or text messages impersonate airlines, hotels, or retailers, tricking members into entering their login credentials on fake websites designed to look identical to the real thing.
- Social engineering: Attackers call customer support using personal information gathered from data brokers and social media to impersonate the account holder, reset the password, and drain the points.
- Third-party partner breaches: Many loyalty programs share data with partner companies. A breach at any partner in the chain can expose loyalty credentials.
Loyalty Fraud Often Goes Unnoticed for Weeks
Unlike a bank account, most people do not check their loyalty point balances regularly. Attackers exploit this gap — they can drain an account and redeem stolen points for flights, hotel stays, gift cards, or merchandise long before the account holder notices anything is missing. Set a calendar reminder to check your loyalty balances at least once a month.
Signs Your Loyalty Account Has Been Compromised
Watch for these warning signs that someone may have accessed your loyalty account without authorization:
- Points or miles have disappeared or your balance is lower than expected
- You receive confirmation emails for bookings or redemptions you did not make
- Your login credentials no longer work
- Your account profile information (email, phone number, mailing address) has been changed without your knowledge
- You receive password reset emails you did not request
- You notice unfamiliar activity in your account transaction history
Immediate Steps If Your Account Is Hacked
If you suspect your loyalty account has been compromised, act quickly. The longer you wait, the harder it becomes to recover stolen points.
1. Contact the Loyalty Program Immediately
Call the loyalty program's customer service line — do not rely on email for urgent fraud issues. Explain that your account has been compromised and ask to speak with their fraud or security team. Request that they freeze your account to prevent further unauthorized activity. Many major programs including Marriott Bonvoy, United MileagePlus, and Delta SkyMiles have dedicated fraud departments.
2. Change Your Password
If you can still log in, change your password immediately. Use a strong, unique password that you have not used on any other site. If you are locked out, use the account recovery process or ask customer support to help you regain access.
3. Enable Multi-Factor Authentication
If the loyalty program supports two-factor authentication or multi-factor authentication, turn it on immediately. Use an authenticator app rather than SMS-based codes when possible, as SMS codes are vulnerable to SIM swapping attacks.
4. Review Your Account Activity
Check your full transaction history for any unauthorized redemptions, point transfers, or profile changes. Note the dates, amounts, and details of every suspicious transaction — you will need this information when filing a fraud report.
5. Document Everything
Keep records of all communications with the loyalty program, including representative names, reference numbers, dates, and what was discussed. Save screenshots of unauthorized transactions and any suspicious emails you received. This documentation is critical for recovering stolen points.
6. File a Police Report
While local police may not have the resources to investigate the theft directly, a police report creates an official record of the crime. Some loyalty programs require a police report before they will restore stolen points.
7. Report to the FTC and IC3
File a report with the Federal Trade Commission at IdentityTheft.gov and with the FBI's Internet Crime Complaint Center at IC3.gov. These reports help federal agencies track fraud patterns and build cases against organized cybercrime operations.
8. Check Your Other Accounts
If attackers obtained your loyalty program credentials through credential stuffing, they likely have access to other accounts where you used the same password. Change the password on every account that shared the same credentials — email, banking, shopping, and other loyalty programs.
Will the Program Restore Your Stolen Points?
Policies vary significantly between programs. Marriott Bonvoy, as part of its FTC settlement, is required to review loyalty accounts and restore stolen points upon customer request. Many airlines and hotel chains will investigate and restore points as a matter of customer service, though it is not always guaranteed. Some programs, like Southwest Rapid Rewards, state in their terms that they are not responsible for unauthorized access — but they will still investigate and may restore points at their discretion. The key is to report fraud quickly and provide thorough documentation.
How to Protect Your Loyalty Accounts Going Forward
Once you have recovered from a compromise, take these steps to prevent it from happening again:
Use a Unique Password for Every Loyalty Account
This is the single most effective defense against credential stuffing. Use a password manager to generate and store strong, unique passwords for each loyalty program. If one account is breached, the damage stays contained.
Enable All Available Security Features
Turn on two-factor authentication, login notifications, and transaction alerts wherever the loyalty program offers them. Some programs also allow you to set a security PIN for phone interactions with customer service.
Monitor Your Balances Regularly
Check your loyalty point balances and transaction histories at least once a month. The sooner you catch unauthorized activity, the better your chances of recovering stolen points.
Be Cautious with Loyalty Program Emails
Never click links in emails claiming to be from your loyalty program unless you are certain they are legitimate. Instead, navigate directly to the program's website by typing the URL into your browser. Watch for phishing red flags like urgency, generic greetings, and misspelled domain names.
Limit What You Share with Loyalty Programs
Only provide the minimum required personal information when signing up. The less data a program stores about you, the less exposure you face if that program is breached.
Remove Your Personal Data from Data Brokers
Attackers frequently use data broker sites to gather the personal information they need for social engineering attacks — your full name, address, phone number, date of birth, email, and names of family members. This is precisely the information needed to impersonate you on a customer service call and convince an agent to reset your password. Removing your data from these sites closes a critical gap in your security.
PrivacyOn removes your personal information from 100+ data broker sites and continuously monitors for reappearances. By reducing the amount of personal data available about you online, you make it significantly harder for attackers to answer security questions, impersonate you over the phone, or piece together enough information to take over your loyalty accounts. This kind of proactive data removal is one of the most overlooked — yet effective — defenses against account takeover fraud.
The Bottom Line
Loyalty program fraud is a growing and underreported problem. The points and miles sitting in your accounts have real financial value, and criminals are increasingly sophisticated in how they steal them. If your account has been compromised, act immediately: contact the program, secure your credentials, document everything, and file reports with the appropriate authorities. Going forward, treat your loyalty accounts with the same security seriousness you give your bank accounts — unique passwords, multi-factor authentication, regular monitoring, and reducing your exposure on data broker sites. These steps will not make you invulnerable, but they will make you a much harder target.