Millions of Travelers at Risk as Loyalty Accounts Sold for Pennies on Dark Web

The world of cybercrime records a new trend, which turns something many travelers casually collect into a hot commodity for fraudsters. A recent investigation by cybersecurity firm NordVPN and travel eSIM provider Saily revealed that stolen frequent flyer miles are being bought and sold on dark web marketplaces for as little as 56 pence.

This emerging trend is creating a booming black market that exploits lax security and nets criminals luxury travel for pennies.

The joint probe analyzed thousands of underground forum posts. It exposed a thriving economy in which criminals trade compromised airline and hotel loyalty accounts—some holding hundreds of thousands of points—for a fraction of their real-world value. This isn’t just about a free ticket; it’s a gateway to serious identity theft and organized fraud.

“The danger extends far beyond losing a few free flights,” the report emphasized. These accounts are treasure troves of personal data, often containing home addresses, passport numbers, and payment preferences.

Once in criminal hands, this information can be used for full-scale identity fraud or sold to other crime networks, multiplying the harm to the victim.

Sky-High Targets: Why Emirates and BA Accounts are in Demand

The investigation tracked down the travel brands that are most coveted by cybercriminals – according to the number of listings appearing on the dark web, as well as frequency of listings.

The top three accounts had airlines such as Emirates and British Airways listed the most, and this indicated a high demand for the travel brands.

Since these airlines are prestigious global brands, they are attractive to criminals due to the high value of the mileage accrued from all the flights on these airlines. This mirrors the logic behind attacks on major corporations, where criminals target valuable data and systems to maximize ransom pressure, a pattern clear in the recent Everest ransomware attack on Under Armour.

Hotel loyalty programs have not been immune to security flaws, either. For example, there were also hotel loyalty program databases from large hotel chains like Marriott and Hilton being sold on various dark web adoption sites.

Some of these databases were selling for upwards of £2,250, with full guest histories and payment details stored in them. This gives cybercriminals a large source of valuable information to impersonate travelers or financially exploit them.

One of the issues highlighted in the report is how most people securely monitor their bank accounts, but do not secure their accumulated mileage and loyalty points. Some experts in the investigation noted that travelers frequently do not think about securing their loyalty points.

Because of this, a person may have had several months of unauthorized activity within their accounts without realizing that it is taking place.

The Hackers’ Strategy: How They Steal the Miles

The methods cybercriminals use to hijack these accounts are not particularly technical, but they are devastatingly effective. The primary attack vectors are:

• Credential Stuffing: By taking unrelated data breaches revealed usernames and passwords (for example from social media or retail websites), hackers then programmatically attempt those combinations on the airline and hotel sites where customers maintain. Since many customers use the same username and password combinations across multiple sources, credential stuffing yields a very high percentage.
• Phishing: Cybercriminals typically carry out phishing by sending highly realistic emails that imitate an airline or hotel. They create a sense of urgency—such as warning that points are expiring or reporting suspicious activity—to trick travelers into entering their usernames and passwords on fake websites controlled by criminals.

A Call for More Protective Measures

Meanwhile, experts in the probe indicated that a traveler should not solely rely on companies to protect their reward points/account, as the value of reward points/miles is increasing, making them attractive targets for cybercriminals.

Because of this increase in value, cybercriminals are turning their focus on stealing members’ reward points such as loyalty program points, rather than on obtaining access to bank accounts or credit card information directly.

Marijus Briedis Chief Technology Officer (CTO) of NordVPN advised that a simple way to contain the magnitude of this problem is for travelers to start treating their air miles the same way they would treat a stack of cash. The combination of weak, recycled passwords and the absence of additional security checks makes these travelers’ accounts low-hanging fruit for criminals.

The growth of the dark web black market for stolen air miles has prompted authorities to urge consumers to protect reward points with the same care they use for their financial credentials. Given that identity fraud now impacts millions annually, with notable geographic hotspots of activity, this advice is part of a critical, broader need for heightened digital security awareness everywhere.