Page 1 of 1

United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 5:42 am
by genybustrvlr
These are my question... No source... No link... Don't freak out..

High Level Question: Was United.com hacked without disclosure to customers?

Facts:

1) Since late December / early January I cannot use my user id or e-mail to log in. I must use my MileagePlus # and password. (Which I find very annoying from a customer service perspective.) This is a change from past United.com functionality.
2) I e-mailed United multiple times and have asked Premier representatives to explain this change. Nobody will tell me why, if they even acknowledge the change.
3) Today, upon login to book a flight, I was asked to verify/update my account information (name, address, telephone number) and accept new terms and conditions. (which I obviously did not read because who has 45 minutes for that.)

I find this whole situation suspicious.

Why would United roll back account login to a 1990s standard that inconveniences customers without an absolute security need?

Why, shorty after the login restrictions do I now need to verify/update information that has been on file for quite some time?

What legal obligation does an airline have, if any, to disclose Cybersecurity breaches to customers? I work in the highly regulated finance industry and such a breach requires very explicit disclosure to customers.

Thanks for your replies...

Again, questions, no source don't go a.nuts and make me leave this site for years again.

[Edited 2015-03-19 22:55:36]

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 5:47 am
by flynhi808
Quoting genybustrvlr (Thread starter):
a.nuts

      thats gotta be the best thing i've heard all week

Quoting genybustrvlr (Thread starter):
What legal obligation does an airline have, if any, to disclose Cybersecurity breaches to customers?

I would assume they would have to disclose it...

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 6:29 am
by N104UA
Quoting genybustrvlr (Thread starter):
3) Today, upon login to book a flight, I was asked to verify/update my account information (name, address, telephone number) and accept new terms and conditions. (which I obviously did not read because who has 45 minutes for that.)

Companies update their TOS all of the time, I read this (took about 10 min) and there was nothing crazy in it that I could see.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 8:08 am
by AA737-823
Yes, United/MileagePlus was hacked, along with the FF databases of several other US carriers.
But it was made public over a month ago.
Google is your friend.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 8:43 am
by ghifty
Quoting genybustrvlr (Thread starter):

Hmm, I wouldn't be too alarmed with this change.

Delta.com now forces you to use your SM# and password. Previously I would just use my Last Name and a 4 digit pin code. The change also required me to change my password and enter more variations of characters/numbers. L

Other sites like Gmail and Facebook are also requiring you to verify accounts with a phone #.. So, seems like a general tightening of web security.. A litte inconvenient because it's about as complicated for me to sign into banking accounts as it to access Facebook, but hey it seems like hackers are breaking in more often..

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 12:33 pm
by cosyr
Quoting genybustrvlr (Thread starter):
3) Today, upon login to book a flight, I was asked to verify/update my account information (name, address, telephone number) and accept new terms and conditions. (which I obviously did not read because who has 45 minutes for that.)

They have asked me to do this once a year for the last several years. And everytime, it has failed to take me off that page after I click save or accept, or whatever it says. Annoying, but routine.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 2:08 pm
by Rdh3e
Quoting flynhi808 (Reply 1):
I would assume they would have to disclose it...

I don't think there is any requirement but lots of places do for fear of it coming out by other means and embarrassing them.

Quoting AA737-823 (Reply 3):

Yes, United/MileagePlus was hacked, along with the FF databases of several other US carriers.
But it was made public over a month ago.
Google is your friend.
http://www.mainstreet.com/article/un...-loyalty-programs-have-been-hacked

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 2:49 pm
by rwsea
Quoting genybustrvlr (Thread starter):
1) Since late December / early January I cannot use my user id or e-mail to log in. I must use my MileagePlus # and password. (Which I find very annoying from a customer service perspective.) This is a change from past United.com functionality.

Many people use the same username and password for several websites. If someone is able to hack your username and password somewhere else, there exists the possibility they can log in to your profile on the UA website. UA had many issues with just that happening, and thus went back to a unique log in for their website to reduce such fraud.

Doesn't seem like something warranting this level of hysteria. Let your account get hacked and then try getting your miles back... and then tell us which is more annoying from a "customer service" perspective.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 3:34 pm
by airzim
It's also why they are moving away from e-mail addresses as a login name, which is easy to snag.

Once you get an e-mail address, it's easy to run a program that simulates 4 digit passwords until it gets a match. Because people tend to reuse passwords, once you've cracked one website, you've got access to tons of accounts.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 5:25 pm
by ua900
Quoting genybustrvlr (Thread starter):
Why would United roll back account login to a 1990s standard that inconveniences customers without an absolute security need?

Why, shorty after the login restrictions do I now need to verify/update information that has been on file for quite some time?

They got hacked, hence the change. IIRC everyone affected got their miles back. So it seems like a security related precaution on their part to minimize reimbursements.

All, to the OPs second question, any reason why they would require verification of contact information as part of login? I get the TOS update acknowledgements, but Apple and others don't seem to require contact information to be validated as frequently it seems. It may be anecdotal, but I've run into this 3-4 times over the past 12 months or so.

RE: United Website - Questions - Don't Freak Out

Posted: Fri Mar 20, 2015 5:50 pm
by maxamuus
Quoting airzim (Reply 8):
It's also why they are moving away from e-mail addresses as a login name, which is easy to snag.

Once you get an e-mail address, it's easy to run a program that simulates 4 digit passwords until it gets a match. Because people tend to reuse passwords, once you've cracked one website, you've got access to tons of accounts.

Which is EXACTLY what happened. The system wasn't hacked. Hackers obtained the email addresses from some other source and had pins as well. People tend to use the same pin on many different accounts so it was pretty easy to get into their accounts.