NordVPN x Saily study reveals a concerning number of leaked airline loyalty accounts

Methodology

The study on stolen loyalty accounts was conducted by NordVPN cybersecurity experts in collaboration with the team behind the Saily eSIM app. It should be noted that this is a short exploratory study, aimed at loyalty data exposure on the dark web.

To collect and analyze relevant data, researchers used NordStellar’s Dark Web Search tool with AI‑driven filtering techniques. The analysis focused on content posted over the past five years.

The data collection process was carried out in several stages:

1. 1.Dark Web search setup. NordStellar’s Dark Web Search feature was used with AI filtering to automatically identify and classify posts potentially related to travel and loyalty program data. The system also used built‑in tags, such as DATABASE, to highlight posts offering leaked data.
2. 2.Analysis of airline-related posts. Researchers searched for the keywords “travel” and “airline” to identify posts discussing loyalty accounts or data breaches involving airlines. Since the raw data contained significant amounts of spam, duplicate entries, and unrelated discussions, an AI‑based model was applied to filter out irrelevant content. In total, 1045 unique posts meaningfully discussing airlines were found. To assess popularity, the frequency of airline mentions was counted across different posts — multiple mentions of the same airline within a single post (for example, “American Airlines” appearing five times in one thread) were counted as one mention.
3. 3.Analysis of hotel-related posts. Using the keyword “hotel,” a similar process was repeated to identify discussions about hotel loyalty programs. After filtering and deduplication, 551 unique posts referencing hotels were found. 
4. 4.Leaked travel databases analysis. To identify posts where travel‑related databases were being sold, researchers looked for the keywords “price,” “$,” “USD,” “BTC,” and “XMR” combined with the built-in DATABASE tag. The initial search returned 17578 posts, many of which were spam or repeated across different forums. After filtering to include only travel‑related entries (e.g., trips, hotels, and other travel data), only 29 posts (approximately equal to 0.2%) remained. Due to the limited sample size, the researchers chose to include specific post examples in the analysis to better illustrate the data being exchanged.

It’s worth mentioning that the dark web data environment is fragmented and inconsistent. Therefore, results should be interpreted as informative takeaways rather than comprehensive statistics.

A first-class ticket for stolen airline loyalty accounts

According to the study data, American Airlines, Southwest, Emirates, United, Alaska, and Delta are among the most commonly discussed airlines on the dark web forums. That accounts for over 54% of all airline-related cybercrime discussions.

The most common discussions regarding these airlines involve the purchase of stolen loyalty program accounts, some with hundreds of thousands of miles accumulated in them. While most sellers do not list their prices (instead inviting buyers to contact them privately), those who share their offers sell stolen loyalty accounts for as little as $0.75 and up to $200. 

Stolen accounts allow cybercriminals to book free flights and other perks at the expense of legitimate customers. And although malicious actors sell these accounts with promises that include wording such as “safe flights” or “you pay after,” the transactions for these purchases may be conducted using stolen credit cards and travel accounts. Which means there's a high chance that buyers will get caught when using tickets or rooms gotten through stolen loyalty accounts.

Statistically, the most mentioned airlines on the dark web include:

• Southwest Airlines (12.2% of all mentions)
• Emirates (11.5%)
• United Airlines (11%)
• Alaska Airlines (10.4%)
• American Airlines (8.9%)
• Delta Airlines (7.3%)
• JetBlue Airlines (6.5%)
• Frontier (5.9%)
• British Airlines (5.5%)
• Spirit Airlines (4.3%)
• Lufthansa (3.3%)
• Air Canada (2.3%)
• China Airlines (2.3%)
• Vietnam Airlines (1.9%)

Luxury suite in the darkest corners of the web

Like airlines, hotel chain names have been spotted on the dark web, too. The study shows evidence that hotel databases traded on the dark web often include not only guest information but also loyalty account details, making them especially popular among cybercriminals. Hotel chains like Hilton, Marriott, and IHG are among the top-mentioned names, with 34%, 24%, and 21% of mentions, respectively. 

Choice Hotels, MGM Resorts, and Hyatt have also appeared in dark web posts with links to leaked databases. These collections of data sometimes contain millions of records: names, email addresses, stay histories, and even passport numbers in some cases. Further data analysis shows that leaked databases containing high-value sensitive information can sell for up to $3,000. 

Why and how does this happen?

With the Christmas travel peak approaching, cybersecurity experts warn that millions of people flying home for the holidays may be unaware that their loyalty accounts could already be compromised. The surge in seasonal travel makes loyalty points scams particularly appealing to hackers: Stolen miles and hotel points can be resold quickly, used to book last-minute trips, or converted into gift cards and other rewards.

Cybercriminals get loyalty account data using several methods, like phishing scams, data breaches, and credential stuffing attacks. Once criminals get access to an account, they can quickly convert the loyalty points into gift cards, move them to other accounts, or use them for booking flights or hotel stays that they later resell. Because these transactions blend in with normal activity, it can be hard to trace where the points went, making it easy for scammers to cash out without being noticed. 

The travel industry is a lucrative target for hackers due to the sensitive personal and financial data they handle. This study suggests that the travel industry may face increasing cyber threats (such as data breaches or credential stuffing) and that the stolen information has a thriving market on the dark web.

How to safeguard yourself

Safeguarding against malicious actors requires some vigilance and effort. In this particular case, using strong, unique passwords for every account and turning on multi-factor authentication is one of the simplest ways to stay protected. However, it’s not the only measure users can take.

Checking an airline or hotel platform account’s login history periodically can save travelers from unpleasant surprises. If any suspicious activity appears, they should immediately change their passwords. Where possible, enabling alerts for unusual point redemptions is also recommended, since responding quickly to fraudulent activity is crucial.

Finally, using a trusted eSIM service and a VPN can add an extra security layers when traveling. VPN services such as NordVPN protect users from unwanted snoopers while browsing in public places. Meanwhile, eSIM providers such as Saily eliminate the need to connect to public Wi-Fi, helping safeguard users’ data while browsing abroad.