Chicago travelers are being urged to log in and take a hard look at their airline and hotel loyalty accounts, as researchers say those accounts are quietly being bought and sold on dark-web forums. Some profiles, including ones loaded with hundreds of thousands of miles or points, have reportedly gone for as little as $0.75 and up to about $200. Once scammers get in, they can drain balances, book trips, or flip rewards into gift cards, leaving victims dealing with potential identity theft and a pile of unexpected financial headaches.
The warning surfaced in local coverage after a joint study by cybersecurity firm NordVPN and travel eSIM app Saily, according to ABC7 Chicago. The station’s report lays out basic consumer advice: use strong, unique passwords for every loyalty account, turn on multi-factor authentication wherever it is available, and keep an eye on your accounts for any unfamiliar bookings, missing points, or login alerts. If something looks off, the guidance is to act fast.
The underlying analysis dug through dark-web listings and found that a small group of airlines and hotel chains showed up far more often than others, according to the NordVPN report. The write-up names Southwest, Emirates, United, Alaska, American, and Delta among the frequently cited airlines, and flags Hilton, Marriott, and IHG on the hotel side. Researchers say some leaked datasets include names, email addresses, stay histories, and, in a few cases, passport numbers, which raises the stakes well beyond a few missing miles.
Not every dark-web thread the researchers reviewed was a straightforward sale, but when accounts or full databases were offered, the prices varied widely. Saily's summary of the study notes individual accounts advertised for between $0.75 and $200, while larger, high-value databases that contain sensitive identifiers can go for thousands of dollars on underground markets. Saily and NordVPN say their search used AI tools to sift through five years of posts, providing a snapshot rather than a full census of what is out there.
How scammers use stolen accounts
According to the researchers, the most common ways criminals crack into loyalty accounts are phishing emails or texts, credential-stuffing attacks that reuse passwords from other data breaches, and leaks from third-party partners connected to travel programs. The NordVPN analysis also notes that some dark-web sellers advertise "safe flights" or "pay after" deals, sales pitches meant to reassure buyers that these stolen tickets will not trigger alarms. In reality, bookings made with compromised credentials can be canceled and traced, and legitimate customers are often left fighting to restore their points and clear fraud alerts from their profiles.
How to protect your miles and points
The security advice here is not glamorous, but it is effective: use unique passwords for every loyalty account, enable multi-factor authentication whenever the option is available, and avoid logging in over unsecured public Wi-Fi. The ABC7 Chicago reporting echoes those tips and adds that travelers should monitor their accounts for surprise reservations or sudden drops in point balances, then change passwords immediately if they suspect a problem.
If an account is compromised, the Federal Trade Commission’s IdentityTheft.gov offers a step-by-step recovery plan. That guidance includes contacting the affected company, placing fraud alerts or credit freezes, and filing an official report to help limit any long-term fallout.
