A joint study by NordVPN and a travel eSIM app, Saily, has shed light on the alarming prevalence of data breaches and loyalty points theft targeting major players in the travel industry. The research reveals that airlines and hotel chains have had their customer data compromised and sold on darknet forums, putting millions of travelers at risk of identity theft and financial losses.
With the Christmas travel peak approaching, cybersecurity experts warn that millions of people flying home for the holidays may be unaware that their loyalty accounts could already be compromised. The surge in seasonal travel makes loyalty points scams particularly appealing to hackers: Stolen miles and hotel points can be resold quickly, used to book last-minute trips, or converted into gift cards and other rewards.
According to the Saily and NordVPN study, American Airlines, Southwest, Emirates, United, Alaska, and Delta were among the most commonly discussed airlines on the dark web forums, accounting for more than 50% of all airline-related cybercrime discussions. Stolen loyalty program accounts, some with hundreds of thousands of miles, are being sold for as little as $0.75 to $200, allowing cybercriminals to book free flights and other perks at the expense of legitimate customers.
Cybercriminals get loyalty account data through several methods, like phishing scams that mislead users into revealing their credentials, data breaches that expose customer databases, and credential stuffing attacks that involve password reuse across different services. Once criminals get into an account, they can quickly use up the loyalty points for booking flights or hotel stays that they later resell, convert points into gift cards, or move them to other accounts. Because these transactions blend in with normal activity, it becomes hard to trace where the points went, making it easy for scammers to cash out without being noticed.
“The travel industry is a lucrative target for hackers due to the sensitive personal and financial data they handle. Our research shows that airlines continue to face data breaches, and this stolen information has a thriving market on the dark web,” said Marijus Briedis, chief technology officer at NordVPN. “Consumers should strengthen their account security, particularly during busy travel periods when scammers are most active.”
The hospitality sector is increasingly exposed on the dark web, with hotel loyalty programs emerging as one of the most valuable targets. Major global chains, such as Marriott, which accounts for 35% of dark-web hotel market mentions, as well as Hilton, IHG, and Accor, are frequently discussed on darknet forums in connection with data leaks, scams, and B4U-type credential-stuffing services.
The research showed evidence that hotel databases traded on the dark web often include not only guest information but also loyalty account details, making them especially popular among cybercriminals. These collections sometimes contain millions of records: names, email addresses, stay histories, and even passport numbers in some cases. Leaked databases containing high-value sensitive information can sell for up to $3,000.
“The price of stolen databases isn’t determined by their volume. What drives the value are sensitive details like passport numbers, loyalty points, or information linked to places or organizations that attract extra attention. High-value data like this justifies much higher prices, which motivates cybercriminals to target companies in the travel sector more aggressively,” said Vykintas Maknickas, CEO of Saily.
“Recent research shows that half of the respondents reuse the same password for multiple accounts, which results in a much higher risk of identity theft and financial fraud,” Briedis added. “Using strong, unique passwords for every account and turning on multi-factor authentication is one of the simplest ways to stay protected.”
Checking a loyalty account’s login history periodically can save travelers from unpleasant surprises. If any suspicious activity appears, they should immediately change their passwords.
“Check your accounts before and after a trip. Traveling increases exposure simply because you’re accessing your accounts more and not always on trustworthy networks. Consider using a travel eSIM to minimize these risks,” said Daily’s Maknickas. “Where possible, enabling alerts for unusual point redemptions is also recommended, since responding quickly to fraudulent activity is crucial.”
Briedis adds that internet users must be very careful when using public Wi-Fi because not all hotspots are secure.
”Always use a VPN on public networks and stay alert for unsolicited emails or calls claiming to be from travel companies, since phishing continues to rise.”