Hackers have broken into accounts at American and United Airlines and booked themselves free flights or upgraded their accounts, AP reports.
The theft happened in late December last year, and the thieves made mileage transactions and booked flights for some three dozen accounts, United Airlines spokesman Luke Punzenberger said.
The airline will restore miles to anyone who had theirs stolen, he added.
Some 10,000 accounts have been compromised said Martha Thomas, a spokeswoman for American Airlines. American Airlines started notifying customers about the theft on Monday, she added.
The airline found out about two cases in which somebody had booked a trip or an upgrade, without the knowledge of the account holder.
The company froze some accounts, while they, and the customers, created new ones – starting with those customers who have at least 100,000 miles.
Thomas said that American Airlines would pay for a credit-watch service for one year for affected customers.
Both companies claim their systems have not been breached, and that the thieves acquired the login information somewhere else. They urged their customers not to use the same login information on more than one site.
The thieves used the acquired login information to try and log into American's AAdvantage and United's MileagePlus, hoping the usernames and the passwords would match, the airlines claim
They also said no other data, such as credit cart info, has been stolen.
Ken Westin, security analyst at Tripwire, commented: “We have seen similar compromises occur with other loyalty programs, such as with Hilton Honors several months ago.
"Air miles and loyalty programs are low hanging fruit for hackers because although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency such as with credit card transactions."