Airline miles, hotel points, and booking platform logins have quietly become prime digital loot. These accounts sit behind flimsy passwords, rarely get checked, and hold value that rivals a decent bank balance, and hackers know it. Between Q4 2023 and Q1 2024, bot attacks on airline accounts protected by Arkose Labs surged 166%. Over that same stretch, the Loyalty Security Alliance reported a 30–40% increase in successfully hacked loyalty accounts.
The culprit? Credential stuffing, which is a low-effort, high-reward attack that weaponizes your old, reused passwords. But here’s the good news: a short pre-trip security checklist can slam the door before your next getaway.
The Anatomy of a Credential Stuffing Attack (It’s Not What You Think)
Credential stuffing isn’t some shadowy hacker brute-forcing your password one character at a time. It’s far simpler, and far more effective. Automated bots take username-password pairs stolen from one breach and try them across thousands of other sites, guessing you’ve reused the same combo on your airline account, hotel loyalty programme, and favourite booking platform. If you’ve ever used the same password for your gym membership and your frequent-flyer account, you’ve essentially handed over the keys.
The scale of this is staggering, and Cloudflare analysed traffic across the websites it protects and found that 95% of login attempts using leaked passwords come from bots. When bot traffic is included, 41% of all authentication requests contain compromised credentials. Even more unsettling is that 41% of successful human logins already involve leaked passwords, meaning real users are unknowingly walking around with compromised credentials.
Travel has been in the crosshairs for years. Between July 2018 and June 2020, Akamai recorded more than 63 billion credential-stuffing attacks against retail, travel, and hospitality, accounting for over 60% of all such attacks in that window, as reported by CloudNexus. HUMAN Security detected 26 billion fraudulent login attempts in 2023, with one in five visits to a login page being an attempted account takeover.
What makes this all the more alarming is how accessible these attacks have become. Off-the-shelf credential-stuffing tools, complete with tech support, are sold by actors in Vietnam, China, and Russia, according to Kevin Gosschalk, CEO of Arkose Labs. You don’t need coding skills. You just need a credit card and a list of leaked passwords.
Why Travel Loyalty Programs Are the Easiest Target
If you were designing the perfect target for cybercriminals, it would look a lot like a travel loyalty programme. Start with the missing security, where most hotel and airline chains still don’t require multi-factor authentication because they’re terrified of adding even a second of friction to the booking process, as Forbes explains. Your bank demands MFA for a $50 transfer, but your airline account holding enough miles for a $5,000 flight? One password and you’re in.
Then there’s the value-to-vigilance ratio. Airline loyalty points represent flights worth $1,000, $2,000, or much more, yet people check these balances far less frequently than their bank statements. Fraudsters know this, and can drain an account and disappear weeks before the victim notices anything’s amiss.
Compounding the problem, Transmit Security reports that 45% of loyalty programme accounts are inactive or rarely used. These dormant accounts are a fraudster’s playground that are ripe for takeover with nobody watching. As early as 2017, 60% of airlines reported instances of loyalty program fraud.
The breaches themselves tell a brutal story with one example being Marriott’s Starwood breach, which began in 2014 and went undetected for four years, compromised 131.5 million customers’ personal data (passport numbers, payment card details, contact information) and ultimately led to a $52 million multistate settlement. As part of the deal, Marriott was ordered to offer MFA for Bonvoy accounts.
The current landscape is relentless. VikingCloud found that 82% of North American hotels were hit with a successful cyberattack during summer 2024, and 58% faced five or more attacks. In the airline sector, Arkose Labs data shows 94% of attacks on the industry in Q1 2024 were bot-driven, up from 79% the previous quarter.
Inside the Dark Web’s Travel Points Bazaar
If you want to understand just how commoditised this crime has become, take a look at the dark web. Compromised airline loyalty accounts sell for as little as $0.75, with high-balance accounts fetching up to $200, according to research by NordVPN and Saily. For context, that roughly translates to 56 pence to £150 for UK travellers, which is a pittance for access to flights worth thousands. The NordVPN and Saily study uncovered 1,045 unique posts meaningfully discussing airlines on dark web forums and 551 referencing hotels.
The most-discussed carriers include Southwest (12.2%), Emirates (11.5%), United (11%), Alaska (10.4%), American (8.9%), Delta (7.3%), and British Airways (5.5%). Hotel databases represent an even more lucrative prize that includes guest names, email addresses, stay histories, and passport numbers packaged into datasets selling for up to $3,000 (approximately £2,250).
Hackers don’t exactly operate in the shadows on this. Forbes reports that compromised accounts are frequently sold through Telegram and WhatsApp groups, priced at 80% of the points’ value or less, sometimes with guarantees of access for a minimum number of minutes, a twisted customer-service promise. And the threat isn’t always external. In 2024, two Qantas contractors abused their access to divert frequent-flyer points from roughly 800 customer accounts, as ID Dataweb notes.
The Staggering Cost For Companies and for You
The financial toll here is breathtaking. Loyalty fraud costs the travel and hospitality industry over $1 billion annually. Roughly 1% of airline point redemptions are fraudulent, but when staff time and point refunds are included, total losses reach about 3%, according to the Loyalty Security Alliance.
Individual breaches carry enormous price tags, with IBM’s 2024 Cost of a Data Breach report showing the average damage from credential-stuffing attacks at a significant amount per breach. Meanwhile, Verizon’s 2024 Data Breach Investigations Report found stolen credentials involved in 31% of breaches, as cited by HUMAN Security.
For travel merchants specifically, 53% say online fraud costs them more than $10 million annually, with 79% expecting that figure to climb. And 75.7% of travel merchants saw fraud increase in 2024.
For individuals, the damage extends well beyond lost points. Breached hotel databases can leak passport numbers and detailed travel patterns, which is exactly the kind of information that fuels identity theft long after your suitcase is unpacked. The miles you lost might be refunded but your compromised identity is far harder to recover.
Your Pre-Trip Security Checklist: 5 Steps to Lock Down Your Travel Accounts Before You Fly
Step 1: Give Every Account a Unique, Strong Password (and Keep Them Safe)
Password reuse is the engine driving the credential-stuffing epidemic and eEvery recycled password is a ticking time bomb.
The fix is straightforward but requires a tool you can trust: Proton’s password generator generates and stores strong, unique passwords for every single travel account. A strong password should be at least 12–15 characters, using a random mix of letters, numbers, and symbols — and it must never appear on more than one site.
Step 2: Turn On Multi-Factor Authentication
Multi-factor authentication is the closest thing we have to a security superpower. Microsoft’s research found it reduces the risk of account compromise by 99.22% across the board, and by 98.56% even when credentials are already leaked.
Those are not marginal improvements, but they’re near-elimination of the threat.
Step 3: Regularly Audit Your Accounts and Set Up Alerts
With 45% of loyalty accounts inactive or rarely used, the window for undetected fraud is wide open. Schedule a quick monthly sweep of your airlines, hotels, and OTAs. Look for any redemption you don’t recognize. Fraudsters often start with tiny, inconspicuous withdrawals, like a small lounge pass, or a cheap upgrade, to test whether anyone’s paying attention.
Turn on SMS or email notifications for every transaction because that immediate ping when points move is often the difference between catching a breach early and discovering an empty account months later.
Step 4: Outsmart Phishing Traps Disguised as Booking Confirmations
You know the email: “Urgent: your booking confirmation requires immediate verification.” It looks authentic, carries a familiar logo, and arrives just before a trip when you’re scrambling. One click, one entered password, and your credentials are gone.
Using hide-my-email aliases makes it much harder for phishers to reach your real inbox. Never click links in unexpected emails, and always navigate directly to the booking site.
For a deeper look at locking down your travel communications, check out How To Secure Travel Emails With Minimal Effort.
Step 5: Lock Down Your Devices and Connection
Public Wi-Fi at airports, hotels, and cafés is a credential-stuffing magnet. You should always connect through a VPN when travelling to encrypt your traffic. Keep your devices updated, enable screen auto-lock, and never save passwords in your browser, which is what your password manager is for.
Caveats & Counterpoints: No Silver Bullet
MFA is powerful but not impenetrable, and SIM-swap attacks and advanced phishing can still pierce it, though Microsoft’s 99.22% risk reduction makes it a non-negotiable layer regardless. Password managers create a single point of failure if your master password is compromised; mitigate that with a strong master password and MFA on the vault itself.
Dark web monitoring only flags a breach after it happens — it’s reactive — but combined with unique passwords, it stops the domino effect of a single leaked credential taking down every account. Many travel companies still refuse to offer MFA, leaving gaps that only user vigilance can fill.
Fraud rates aren’t slowing down either: loyalty fraud cases rose 30% in 2022, and 79% of travel merchants expect costs to climb further. The steps above dramatically shrink your exposure, but they don’t erase every theoretical risk.
Don’t Let Hackers Board Your Next Flight
Before each departure, run through this exact checklist: unique passwords for every account, MFA everywhere it’s offered, alerts switched on, and a VPN locked in. That way, you can travel with confidence that your points and data aren’t the low-hanging fruit anymore.
Travel accounts are a prime target, credential stuffing is relentless, and the dark-web marketplace for your miles is humming 24/7. Yet this isn’t a problem that demands a cybersecurity degree to solve. A short pre-departure routine, starting with a strong, unique password generated for every account, slashes your risk massively.
Use the checklist before your next booking, and your miles will still be yours when you’re ready to use them.
