Well, it finally happened — one of my loyalty program accounts was hacked, specifically my Southwest Rapid Rewards account. On December 3, I received an email from Southwest at 9:30 EST confirming my hotel reservation at the Hampton Inn & Suites Kalamazoo-Oshtemo for a check-in date of December 4 and a checkout date of December 5.
The email stated that 17,100 Southwest points were deducted from my account for booking this hotel. According to TPG’s December 2024 valuation, that’s about $240 in value. At first, I thought this might be a phishing email scam trying to convince me to click on links provided to steal information. Immediately, I logged into my Southwest account to see if the points were deducted.
Unfortunately, yes, this hacker used my hard-earned rewards points to book a hotel stay.
Here are the steps I took to get my points back and how you can try to stop hackers from stealing your points and miles.
Related: How to Protect Yourself Against a Rewards Program Data Breach
What I did when my Southwest Rapid Rewards account got hacked
After realizing that someone had accessed my Rapid Rewards account, I immediately changed my password to prevent the extra points from being used. Next, I called Southwest to inform the airline that my account had been hacked and that my points had been fraudulently used.
Because it was late at night, the Southwest representative informed me that this was an expedited rewards issue — they could only help with flights and not hotel reservations — so I would have to call the phone line for the loyalty program in the morning when it reopened. will need
However, the Southwest representative told me to call the hotel directly to let them know that the reservation was made because my account had been hacked. While it wouldn’t help get my points back into my account right away, it was worth leaving a paper trail of steps taken to show that it was fraud.
When I called the hotel directly, the front desk employee was extremely apologetic. Although she couldn’t cancel the reservation in the end, she left a detailed note for her manager to call me in the morning to try to resolve the issue.
Daily newsletter
Reward your inbox with the TPG Daily Newsletter
Join over 700,000 readers for the latest news, in-depth guides and exclusive deals from TPG’s experts
Related: How to recognize and prevent credit card fraud
Although nothing much could be done that night to get my Southwest points back, I spent the next few hours making sure my loyalty program passwords were updated. While some airlines and hotel programs have used two-step authentication, others, such as Southwest, have not yet followed suit.
To give myself peace of mind, I’ve decided to change all my passwords to try to reduce the risk of my other accounts being hacked using my information and my rewards stolen.
The next morning, I called Southwest Rapid Rewards and gave the woman a detailed description of what had happened, explaining that I had contacted Southwest immediately, reported the account hack to the airline, called the hotel, and changed my account password. The rep told me she would file a report and someone from Southwest would follow up with me via email regarding my issues. She noted several times that it was a good thing I discovered the hack right away, as some people don’t realize rewards are missing from their accounts for months.
After I spoke with the Southwest representative, the hotel manager called to tell me that he had received the booking note and would eventually cancel the reservation. Because this reservation was booked with points through a third party, it could not give me my awards back, but again, it showed Southwest that there was a paper trail left to help my case.
Southwest gave me my points back, but…
On December 4, I received an email from a Southwest Rapid Rewards representative telling me that the airline “takes the security of our members’ Rapid Rewards accounts seriously, and we protect our members from fraudulent activity by fortifying your data against breaches.” The email states that Southwest “requires members to enter a password before accessing any of their account information,” and that they encourage the use of “strong passwords.”
The email also cites Southwest’s terms and conditions, noting that the airline “is not responsible for unauthorized access to a member’s account and will not replace stolen points or awards.”
However, as a “good faith gesture and one-time exception,” Southwest decided to give me back 17,100 points.
In addition to being a Rapid Rewards member, I also have Southwest Rapid Rewards® Plus Credit Card. I am not sure if this fact was taken into account when my case was being reviewed.
While I’m grateful that Southwest returned my rewards points, I can’t help but acknowledge that we live in a digital age in which hackers and scammers work relentlessly to access people’s personal account information. Even large corporations have fallen victim to these hacks. For Southwest to rely on just one password and no extra step to authenticate the user seems a bit behind the times.
We reached out to Southwest with my experience, and a spokesperson sent us the following statement:
Southwest is committed to protecting our customers’ accounts with comprehensive cybersecurity controls. We will continue to enhance our core technology and have implemented a range of proactive and responsive security measures across our platform.
It’s worth noting that Southwest isn’t alone here, as many other airlines, including American and Frontier, don’t have two-factor authentication options to protect your loyalty account balance.
So, how am I trying to protect my accounts in the wake of this hack?
Related: Understanding 3D Credit Card Security and How It May Affect Your Trips to Other Countries
Steps to Protect Your Loyalty Accounts To protect your points and miles
While these extra steps don’t guarantee the protection of your personal information and loyalty accounts, they certainly won’t hurt.
Change and update your passwords
Whether you’ve been hacked or not, it’s a good idea to update your password regularly, especially if you haven’t done so in a while. Also, make sure to have different passwords for each of your accounts. If you have one password (or a very similar one) for each account, hackers can easily access all of them.
Set up two-step authentication (when possible)
Nowadays, many airline and hotel loyalty programs offer two-step authentication to help protect your account. The program will usually require an additional code, which will be sent via email, text, or an authentication app like Google Authenticator.
Receive email and/or text alerts
Although no one likes to be inundated with a bunch of emails and/or texts, it’s a good idea to make sure your communication preferences are updated. Most programs will also contact you when a booking is made, your points and miles are redeemed, or your contact information/profile is updated. This will help you spot fraud early — which can make it easier to solve.
Because Southwest notified me of my booking immediately — and because I’m someone who frequently checks my email on my phone — I was able to immediately contact the appropriate parties, change my account password, and resolve the issue. am
Related: My AAdvantage account was hacked: Here’s what happened and how you can protect yourself
The bottom line
A hacker recently redeemed over 17,000 of my Southwest Rapid Rewards points, though I was able to take quick steps to get them back. Unfortunately, I’m not the first — and not the last — points and miles enthusiast to fall victim to an account hack. TPG Managing Editor earlier this year Nearly 400,000 American Airlines AAdvantage miles were stolen from Clint Henderson’s account. Fortunately, he also got them back.
But as fraudsters continue to get smarter in their hacking methods, it’s best to be diligent and pay close attention to your personal accounts. Although Southwest refunded me my points, according to their terms, this was not guaranteed and replacement of stolen points is only allowed on a case-by-case basis. So, to ensure you don’t completely lose your hard-earned rewards, take extra steps to protect your accounts.