I woke up today to an e-mail no one wants to get — American Airlines let me know that they “recently detected activity indicating that someone with your username and password gained unauthorized access to your online AAdvantage® account.”
Although American Airlines provided a number to call in the e-mail, I wanted to ensure the e-mail itself wasn’t a phishing attempt and so I called the main AAdvantage customer support number and, after over 30 minutes of waiting to speak to someone, they confirmed that someone other than me tried to access my account.
These things happen and American Airlines said they needed to create a new account for me, which was understandable. But American Airlines said that to make a new account, I needed to provide a new e-mail address and that if I didn’t use a new e-mail address, that American Airlines would not reimburse me for any stolen miles in the future.
American Airlines justified this policy by saying that my e-mail address appears on https://haveibeenpwned.com/, showing that it had been compromised. On the call, I went through my address book and every single e-mail address I checked belonging to my friends also appeared as compromised on https://haveibeenpwned.com/ (not surprising, given the number of data breaches and compromises over the years).
Overall, I think American’s approach here is absurd and punitive. I’d argue that most people use a single e-mail address for all of their mileage accounts, so asking someone to use a separate e-mail just for American Airlines is an annoying lift.
I’ve had security alerts from other airlines and while it’s resulted in either me creating a new password or getting a new account in place, I’ve never had an airline or hotel tell me that I need to change my e-mail address or my account won’t be protected. Perhaps American Airlines isn’t confident in their own security measures, which is why they demand that customers use a new e-mail address and other companies don’t.
Do you think American Airlines’ policy of requiring customers to use a new e-mail address for your account if there’s a security breach is out-of-line with industry standards or am I overreacting?
11 comments
While I think it’s unnecessary because it constitutes an antiquated belt and suspenders response, I also think that your response is a bit much. Punitive? You can create a new email address specifically for AA within a few seconds, and be done with it.
However, what they really need to do is institute and enforce MFA (and preferably passcodes, NOT an SMS), thereby moving into the 21st century of cybersecurity.
Regardless, I think the real story here is that AA detected the intrusion and proactively warned you. Focus on what that means – they’re paying attention. That’s good, and not all that common.
Appreciate the optimistic outlook here! I was about to respond and say that “punitive” was too strong of a word, but I stand by it — mostly because AA did, for all intents and purpose, threaten to punish me if I didn’t get a new e-mail address (essentially “get a new e-mail address or if someone steals your AA miles, we aren’t responsible”).
While I agree the process of creating a new e-mail address can be easy, keeping track of all your different passwords can be difficult enough without adding having to keep track of different e-mail addresses to the equation. I agree that AA should enforce MFA and I am glad they let me know of the potential intrusion; I just wish they had better solutions
I think you’re overthinking how difficult this is. If you’re using Gmail, Apple, or several other providers, you don’t need to actually create a new account or password or anything. You can just add a + to your existing gmail address (https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html) or create an iCloud alias (google it). Seconds. Trivial. Same inbox.
Appreciate that, Alex! It’s a little hard to come up with those steps when you’re put on the spot on a call (at that point, I had been on the call for 45 minutes at the start of my work day). The option presented to me was: (1) stick with your e-mail address as-is with no protections and (2) provide a new e-mail address and be protected. If I had time, I would have maybe Googled that — but at the same time, I stand by this being an antiquated requirement (actually, it’s not even antiquated, as I’ve never heard or experienced a company asking users to do the same, and I work in technology.
Makes sense. Aa doesn’t know if your email is hacked/compromised but you insist yours is not. If I were AA, or any company and my customer wants to use the same compromised email again, why would I be willing to help and keep giving them money when it is stolen? I mean I am surprised that you think it is ok to use the same email address and want protection in the future and think aa is out of the line….or is it just your way of trying to get readers engaged….
Appreciate your comment! Note that it’s not standard, or even common, for a company to demand that customers get a new e-mail address in order to be afforded security protections. Can you think of any time an airline, hotel, bank, or other company has told you that the only way your account would qualify for security protections is if you registered your account under a new e-mail address?
And for what it’s worth, the issue wasn’t with my e-mail address (the e-mail from AA stated that someone with my “username and password gained unauthorized access” to my account, and my username was/is different than my e-mail address. Instead, on the phone AA stated that the only reason why I needed to use a new e-mail address was that they did a search and saw my e-mail address listed as “pwned” on https://haveibeenpwned.com/, and I’d venture that the majority of AA members have their e-mail address showing up as “pwned” on that website.
As mentioned, I’m glad that AA detected the activity — but demanding that I register the account under a new e-mail or lose all protections is well outside of industry standards.
I’m not shocked at AA’s response. I’ve had my Hilton account compromised (which actually was handled very well by them – the property where someone redeemed a stay actually asked me if they could keep the reservation until the person showed up to check in then they’d call the police.. Hilton issued me a new number immediately and transferred my points over).
I’ve had other issues with AA and somewhat ridiculous policies. I live in an AA hub. I often will travel 2-3 days a week and visit same number of cities. Three times now when I’ve connected back through my home airport, they’ve locked my reservation per corporate security as suspected hidden city ticketing which means you have to see an agent who has to get a supervisor who has to call someone in order to even check in. The response from corporate security? You did hidden city once. No, I didn’t – I was connecting through my home airport and they delayed my connection 14 hours until the next day, which I then canceled because it was pointless to fly somewhere I was returning from 3 hours later at that point (my return ticket was on Delta).
American having what is now industry standard account verification for access should be the first step. I think changing the email address is kind of silly when nobody else does that as a solution. They’re basically saying the account breach is your fault. It’s like saying your credit card got stolen and used at the store, but it’s your fault the cashier didn’t verify ID or check the signature when someone used it.
I kind of love what Hilton did there, asking to keep the reservation to catch the person. It is shocking that people will hack accounts and then use the tickets/stays on their own, knowing how easy it is to get caught in person. And super frustrating hearing about your AA experiences! Totally agree that AA needs to update their security procedures.
@ Josh — I agree with you. Ultimately, breaches of your AA account are primarily AA’s fault. AA could eliminate the vast majority of these breaches with better secuirty protocols. For them to ask you to make such a draconion change is bs.
Thanks, Gene! Obviously I agree and appreciate that you do too. 🙂
‘punitive’ indeed!! Anyone can create a new account, but like you said, it is an additional maintenance. Since I start in 2017, I had my first compromised account and it was my AA account. This occurs in November 2025. Just as I am having breakfast, I checked my email and noticed an unusual amount of spam email. Among, was a congratulations from AA for redeeming my miles. It was for a RT in economy for 60k miles for a short flight in East Africa. I was also told by AA to give a new email. I just happen to have an other account with google. I only use it for AA now and the only good news here is it keeps my account from going dormant. I now use Apple keys app which just became available in OS18! It truly is a powerful app. Currently, I have 115 accounts w/115 different passwords! It even comes with keys and codes that changes every 28 seconds and flags any password involved in a breach (i.e. dark web). My attorney friend has over 600 accounts.