Credential-Stuffing Fraud Targeting United MileagePlus Accounts
Automated tools test leaked email-and-password combinations against United MileagePlus accounts, allowing attackers to redeem miles for flights or gift cards and access stored payment details before the legitimate member realises.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
United MileagePlus miles accumulated over years of business travel can represent thousands of dollars in flight value. When an attacker successfully credential-stuffs a MileagePlus account — testing a leaked email-password pair from an unrelated breach — they can immediately begin converting that value into flights, upgrades, or third-party gift cards.
The vulnerability is password reuse, not a United breach. Members who use the same password across multiple online accounts are exposed whenever any one of those other services suffers a data breach. Automated stuffing tools are cheap to operate and can test millions of combinations in hours.
United has anti-stuffing measures including CAPTCHA and rate-limiting, but sophisticated attackers use residential proxy networks to distribute requests and bypass these defences. Account takeovers can happen quickly, and the earliest sign is often a redemption alert or login notification rather than anything visible in the app.
How this scam works on the United Airlines brand
After gaining access, the attacker changes the account email address or disables notifications to prevent the real member from being alerted. They then redeem miles for flights on dates soon in the future — to make reversal harder — or transfer miles to airline partners and third-party reward programmes that are more difficult to claw back.
Some attackers exploit stored payment methods in the MileagePlus account to purchase upgrades or excess baggage allowances. Others export passport and Global Entry information stored in the United profile for identity theft.
Following the initial redemptions, the attacker may attempt to open a United MileagePlus credit card in the victim's name using the data already in the account, resulting in a hard credit inquiry and a new fraudulent credit line.
Common red flags
- You receive a MileagePlus redemption confirmation for flights or awards you did not book
- A MileagePlus login alert arrives from an unfamiliar device or country
- Your MileagePlus balance has decreased without a corresponding redemption you made
- Your account email address or notification settings have changed without your action
- You cannot log in to your MileagePlus account despite using the correct password
- A hard credit inquiry from United's card issuer appears on your credit report unexpectedly
How to protect yourself
- Use a unique, strong password for MileagePlus — never shared with another service
- Enable two-step verification on your MileagePlus account under the Security section of your profile
- Check haveibeenpwned.com to see if your email has appeared in known breaches and change reused passwords
- Review your MileagePlus balance and activity statement regularly at united.com
- Consider a credit freeze to prevent new card applications being made in your name using MileagePlus account data
- Set up login notifications in your MileagePlus profile so any new-device sign-in triggers an immediate alert
How to report it
- Contact United MileagePlus customer service at 1-800-421-4655 to report account fraud and request a points investigation
- Report to the FTC at reportfraud.ftc.gov
- File a report with the FBI at ic3.gov if fraudulent credit applications resulted from the account takeover
- Change the breached password on every other site where you used the same combination
Frequently asked questions
Can stolen MileagePlus redemptions be reversed?
United MileagePlus investigates reported fraud and has reinstated miles in confirmed cases of account takeover. Contact customer service immediately, as unredeemed or recently redeemed awards are more likely to be recoverable.
What data is stored in my MileagePlus account that attackers could misuse?
MileagePlus accounts may hold passport information (from Trusted Traveler links), Global Entry numbers, payment card details, and travel history. This makes account compromise significant beyond just the miles balance.
I have Premier status — does that make me a higher-value target?
Higher-tier members tend to have larger miles balances and more stored profile data, making their accounts more attractive. Premier members may also have companion certificates or upgrade inventory that attackers can exploit.