By
Colin Eastman
August 19, 2024
 |

Password-Based Loyalty Programs are a Hacker’s Paradise

Frequent flier mile programs and travel rewards have long been popular for consumers and the travel brands that manage them. Unfortunately, hackers love them, too. 

The travel industry was among the first to embrace loyalty programs, dating back to the 1980s.  Some 40 years later, brand leaders across industries use a variety of point systems and rewards to increase customer engagement and ultimately deepen loyalty. 

However, many of these “loyalty” programs are built upon dated authentication technology — membership numbers and passwords — that have become easy targets for hackers. And those hackers do the most disloyal thing possible, systematically stealing points and rewards that don’t belong to them and turning them into free vacations, services, and goods. 

As one Forbes article recently pointed out, “Cybercriminals are taking databases of login credentials exposed in website breaches and using bots to test them en masse. … They’re taking advantage of one of the most common security mistakes people make online: using the same password in multiple places.”

The good news? There’s one fix that would prevent many of these hacks: Replacing those membership numbers and passwords with passkeys and biometric authentication.

Loyalty programs and the password problem 


Loyalty programs in the modern era have become increasingly more sophisticated. Mobile apps and digital wallets have made it easier for consumers to track and redeem rewards. Companies use data analytics to personalize offers and improve customer engagement.

Unfortunately, authentication technology has lagged behind. Ongoing database breaches, and the somewhat easy access to usernames and passwords, make these increasingly popular programs more valuable targets for hackers. 

Meanwhile, hackers are getting more sophisticated with their efforts. In a recent discussion with our team, one retail leader shared their concern about bots — which was a motivator to move to passkey-based authentication technology. These bots, automated scripts or software programs, try large numbers of username and password combinations, sometimes sourced from previous data breaches. Since many users reuse passwords across different services, hackers can gain unauthorized access to accounts.

Notable examples of loyalty hacks


Here are a few notable examples of rewards programs that have been hacked:

  • Starwood Hotels — In 2018, Marriott International disclosed a massive data breach affecting up to 500 million guests, including names, addresses, phone numbers, email addresses, passport numbers, and loyalty account information. 
  • British Airways — That same year, British Airways experienced a significant data breach in 2018, where hackers stole the personal and financial details of approximately 380,000 customers. The breach included sensitive information from the airline's Executive Club loyalty program, impacting frequent flyers.
  • Wyndham Hotels — Between 2008 and 2010, multiple breaches compromised data, including the loyalty program, from more than 600,000 Wyndham customers. 
  • Dunkin’ Donuts — In 2018, Dunkin' reported that hackers gained access to DD Perks loyalty accounts using credential stuffing attacks. The attackers used usernames and passwords obtained from other breaches to access Dunkin’ loyalty accounts, putting customer data at risk.
  • Hilton Honors — In early 2020, Hilton Honors members reported unauthorized access to their accounts, resulting in the theft of points and personal information. This was attributed to credential stuffing attacks, where hackers used previously leaked login credentials to gain access to the loyalty accounts.
  • Best Buy — In 2018, Best Buy experienced a data breach through a third-party vendor. While the breach primarily impacted payment information, it also compromised details related to Best Buy's loyalty program, My Best Buy.
  • Sephora — In 2019, a Sephora customer data breach exposed personal information, including names, email addresses, and loyalty program information from Sephora's Beauty Pass members.

Three ways passkeys can lock down loyalty programs


In 2023, notable hacker Sam Curry wrote a blog post that captured the attention of many digital leaders. He detailed his team’s effort to breach the security of a rewards platform used by many in the airline industry. User credentials — usernames, passwords, and membership numbers — were among the worst violators. 

Passkeys, and biometric authentication, which are rapidly gaining adoption, can help lock down loyalty programs and improve user experience in these ways: 

  • Enhanced security: Passkeys and biometric authentication (e.g., fingerprints, facial recognition) are more secure than traditional passwords because they are harder to steal or replicate.
  • Resistant to credential stuffing: Biometric authentication and passkeys are not susceptible to credential stuffing attacks, in which hackers and bots use stolen usernames and passwords from other breaches.

Passkeys: Restoring trust and loyalty


Loyalty programs are beloved by customers — when they work. But there’s nothing that will destroy your trust in a company more than knowing your personal information was breached and has fallen into the wrong hands. 

I recently had a friend who had built up loyalty points with their health insurance company based on fitness and health-related activities. But their account got hacked and someone else redeemed their points for an Apple Watch. 

Fortunately, we can help. Our passkey and biometric authentication technology not only vastly reduces security vulnerabilities, but it improves user experience. Contact us today for a demo.



Colin Eastman is a seasoned professional with over 15 years of experience in software sales, specializing in Customer Identity for the last decade.  He has held leadership roles at the likes of Experian, Gigya and SAP and has partnered with many enterprise eCommerce companies and Fortune 500s on deploying their Customer Identity and Digital Commerce technology and strategy.