Thieves used Internet IDs to score free air travel

Beware: Don't use the same user name and password on multiple accounts across the Internet, whether it is for Apple iTunes, Twitter, Facebook, a credit card, or a bank.

You could fall prey to crooks who last month latched on to user names and passwords from some unknown website and tried them out on American Airlines and United Airlines customers' frequent-flier mileage accounts - to cash in on free travel.

Thieves obtained user names and passwords and used them to log into American's AAdvantage and United's MileagePlus, guessing that the log-in information might be the same.

In some cases, it was.

The thieves logged in to about 10,000 American customer accounts, and in two instances used passengers' miles to book free trips or upgrades, said American spokeswoman Martha Thomas.

No US Airways Dividend Miles customer accounts were affected.

American and US Airways merged in December 2013, but the frequent flier programs will not be combined until later this year.

"We've already restored the miles to these customers' accounts and will do the same for any other affected customer," Thomas said. American is notifying customers and has locked the compromised accounts.

No Social Security numbers or credit card information were on the accounts, Thomas said.

Nevertheless, American is offering free credit monitoring for one year to those affected.

"We also are working with U.S. federal law enforcement to investigate the matter," Thomas said.

"No one hacked into our systems to get the user names and passwords," Thomas said. "We're still investigating where the user names and passwords came from, but this third party was operating under the assumption that people might be using the same user name and password combinations for multiple accounts."

United Airlines said "unknown and unauthorized parties" were able to score mileage transactions, such as transferring miles toward travel or booking a trip, on fewer than three dozen accounts, according to airline spokesman Luke Punzenberger.

United has about 95 million MileagePlus members.

United notified the customers in late December. Punzenberger said the airline would restore miles to anyone who had them stolen.

"We take vigorous steps to make sure the security of our site and our customers' information is safe," Punzenberger said. "We identified this issue and proactively reached out to these customers."

To combat fraud, United has begun requiring customers to enter their MileagePlus numbers in addition to a password when logging in.

"Before they could use a user name and a password. We changed that because a MileagePlus number is specific to United Airlines," Punzenberger said.

215-854-2831